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Foreword 


... both Gauss and lesser mathematicians may be justified in rejoic- 
ing that there is one science {number theory] at any rate, and that 
their own, whose very remoteness from ordinary human activities 
should keep it gentle and clean. 


— G. H. Hardy, A Mathematician’s Apology, 1940 


G. H. Hardy would have been surprised and probably displeased with 
the increasing interest in number theory for application to “ordinary human 
activities” such as information transmission (error-correcting codes) and 
cryptography (secret codes). Less than a half-century after Hardy wrote 
the words quoted above, it is no longer inconceivable (though it hasn’t 
happened yet) that the N.S.A. (the agency for U.S. government work on 
cryptography) will demand prior review and clearance before publication 
of theoretical research papers on certain types of number theory. 

In part it is the dramatic increase in computer power and sophistica- 
tion that has influenced some of the questions being studied by number 
theorists, giving rise to a new branch of the subject, called “computational 
number theory.” 

This book presumes almost no background in algebra or number the- 
ory. Its purpose is to introduce the reader to arithmetic topics, both ancient 
and very modern, which have been at the center of interest in applications, 
especially in cryptography. For this reason we take an algorithmic approach, 
emphasizing estimates of the efficiency of the techniques that arise from the 
theory. A special feature of our treatment is the inclusion (Chapter VI) of 
some very recent applications of the theory of elliptic curves. Elliptic curves 
have for a long time formed a central topic in several branches of theoretical 
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mathematics; now the arithmetic of elliptic curves has turned out to have 
potential practical applications as well. 

Extensive exercises have been included in all of the chapters in order 
to enable someone who is studying the material outside of a formal course 
structure to solidify her/his understanding. 

The first two chapters provide a general background. A student who 
has had no previous exposure to algebra (field extensions, finite fields) or 
elementary number theory (congruences) will find the exposition rather 
condensed, and should consult more leisurely textbooks for details. On the 
other hand, someone with more mathematical background would probably 
want to skim through the first two chapters, perhaps trying some of the 
less familiar exercises. 

Depending on the students’ background, it should be possible to cover 
most of the first five chapters in a semester. Alternately, if the book is used 
in a sequel to a one-semester course in elementary number theory, then 
Chapters IIJ-VI would fill out a second—semester course. 

The dependence relation of the chapters is as follows (if one overlooks 
some inessential references to earlier chapters in Chapters V and VI): 


Chapter I 


Chapter II 


/ | \ 


Chapter III Chapter V Chapter VI 


Chapter IV 


This book is based upon courses taught at the University of Wash- 
ington (Seattle) in 1985-86 and at the Institute of Mathematical Sciences 
(Madras, India) in 1987. I would like to thank Gary Nelson and Douglas 
Lind for using the manuscript and making helpful corrections. 

The frontispiece was drawn by Professor A. T. Fomenko of Moscow 
State University to illustrate the theme of the book. Notice that the coded 
decimal digits along the walls of the building are not random. 

This book is dedicated to the memory of the students of Vietnam, 
Nicaragua and El Salvador who lost their lives in the struggle against 
U.S. aggression. The author’s royalties from sales of the book will be used 
to buy mathematics and science books for the universities and institutes of 
those three countries. 


Seattle, May 1987 


Preface to the Second Edition 


As the field of cryptography expands to include new concepts and tech- 
niques, the cryptographic applications of number theory have also broad- 
ened. In addition to elementary and analytic number theory, increasing use 
has been made of algebraic number theory (primality testing with Gauss 
and Jacobi sums, cryptosystems based on quadratic fields, the number field 
sieve) and arithmetic algebraic geometry (elliptic curve factorization, cryp- 
tosystems based on elliptic and hyperelliptic curves, primality tests based 
on elliptic curves and abelian varieties). Some of the recent applications 
of number theory to cryptography — most notably, the number field sieve 
method for factoring large integers, which was developed since the appear- 
ance of the first edition — are beyond the scope of this book. However, 
by slightly increasing the size of the book, we were able to include some 
new topics that help convey more adequately the diversity of applications 
of number theory to this exciting multidisciplinary subject. 

The following list summarizes the main changes in the second edition. 

e Several corrections and clarifications have been made, and many 
references have been added. 

e A new section on zero-knowledge proofs and oblivious transfer has 
been added to Chapter IV. 

e A section on the quadratic sieve factoring method has been added 
to Chapter V. 

e Chapter VI now includes a section on the use of elliptic curves for 
primality testing. 

e Brief discussions of the following concepts have been added: k- 
threshold schemes, probabilistic encryption, hash functions, the Chor- 
Rivest knapsack cryptosystem, and the U.S. government’s new Digital Sig- 
nature Standard. 


Seattle, May 1994 
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Some Topics in Elementary 
Number Theory 


Most of the topics reviewed in this chapter are probably well known to most 
readers. The purpose of the chapter is to recall the notation and facts from 
elementary number theory which we will need to have at our fingertips 
in our later work. Most proofs are omitted, since they can be found in 
almost any introductory textbook on number theory. One topic that will 
play a central role later — estimating the number of bit operations needed 
to perform various number theoretic tasks by computer — is not yet a 
standard part of elementary number theory textbooks. So we will go into 
most detail about the subject of time estimates, especially in §1. 


1 Time estimates for doing arithmetic 


Numbers in different bases. A nonnegative integer n written to the base b 
is a notation for n of the form (dx_1d%~2---dido)», where the d’s are digits, 
i.e., symbols for the integers between 0 and b — 1; this notation means that 
n = dy_b¥-! + dy_ob*-? +. ---4+d,b+ do. If the first digit d,_1 is not zero, 
we call n a k-digit base-b number. Any number between b*—! and b* is a 
k-digit number to the base b. We shall omit the parentheses and subscript 
(---)p in the case of the usual decimal system (b = 10) and occasionally in 
other cases as well, if the choice of base is clear from the context, especially 
when we're using the binary system (b = 2). Since it is sometimes useful to 
work in bases other than 10, one should get used to doing arithmetic in an 
arbitrary base and to converting from one base to another. We now review 
this by doing some examples. 
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Remarks. (1) Fractions can also be expanded in any base, i.e., they 
can be represented in the form (dx_d,—2---ddp.d_;d_2---)p. (2) When 
b > 10 it is customary to use letters for the digits beyond 9. One could also 
use letters for all of the digits. 

Example 1. (a) (11001001). = 201. 

(b) When b = 26 let us use the letters A—Z for the digits 0—25, 
respectively. Then (BAD)2g=679, whereas (B.AD) 26 = 133. 

Example 2. Multiply 160 and 199 in the base 7. Solution: 


316 
403 
1254 
16030 
161554 
Example 3. Divide (11001001). by (100111)2, and divide (HAPPY)26 
by (SAD)26. 
Solution: 
101 qoont Kp Mit 
100111 |11001001 SAD [HAPPY 
100111 GYBE 
101101 COLY 
100111 CCAI 
110 MLP 


Example 4. Convert 10° to the bases 2, 7 and 26 (using the letters 
A—Z as digits in the latter case). 

Solution. To convert a number n to the base ), one first gets the last 
digit (the ones’ place) by dividing n by b and taking the remainder. Then 
replace n by the quotient and repeat the process to get the second-to-last 
digit d,, and so on. Here we find that 


10® = (11110100001001000000)2 = (11333311)7 = (CEXHO)2.. 


Example 5. Convert 7 = 3.1415926--- to the base 2 (carrying out the 
computation 15 places to the right of the point) and to the base 26 (carrying 
out 3 places to the right of the point). 

Solution. After taking care of the integer part, the fractional part is 
converted to the base b by multiplying by b, taking the integer part of the 
result as d_;, then starting over again with the fractional part of what you 
now have, successively finding d_2, d_3,.... In this way one obtains: 


3.1415926 - -- = (11.001001000011111 ---)2 = (D.DRS---) 26. 
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Number of digits. As mentioned before, an integer n satifying b*-1 < 
n < b* has k digits to the base b. By the definition of logarithms, this gives 
the following formula for the number of base-b digits (here “[ ]” denotes 
the greatest integer function): 


logn 
logb 


number of digits = [tegen] +1l= +1, 

where here (and from now on) “log” means the natural logarithm loge. 
Bit operations. Let us start with a very simple arithmetic problem, the 

addition of two binary integers, for example: 


1111 
1111000 
+ 0011110 
10010110 


Suppose that the numbers are both k bits long (the word “bit” is short for 

“binary digit”); if one of the two integers has fewer bits than the other, we 

fill in zeros to the left, as in this example, to make them have the same 

length. Although this example involves small integers (adding 120 to 30), 

we should think of k as perhaps being very large, like 500 or 1000. 

Let us analyze in complete detail what this addition entails. Basically, 
we must repeat the following steps k times: 

1. Look at the top and bottom bit, and also at whether there’s a carry 
above the top bit. 

2. If both bits are 0 and there is no carry, then put down 0 and move on. 

3. If either (a) both bits are 0 and there is a carry, or (b) one of the bits 
is 0, the other is 1, and there is no carry, then put down 1 and move 
on. 

4. If either (a) one of the bits is 0, the other is 1, and there is a carry, or 
else (b) both bits are 1 and there is no carry, then put down 0, put a 
carry in the next column, and move on. 

5. If both bits are 1 and there is a carry, then put down 1, put a carry in 
the next column, and move on. 

Doing this procedure once is called a bit operation. Adding two k-bit 
numbers requires k bit operations. We shall see that more complicated 
tasks can also be broken down into bit operations. The amount of time a 
computer takes to perform a task is essentially proportional to the number 
of bit operations. Of course, the constant of proportionality — the number 
of nanoseconds per bit operation — depends on the particular computer 
system. (This is an over-simplification, since the time can be affected by 
“administrative matters,” such as accessing memory.) When we speak of 
estimating the “time” it takes to accomplish something, we mean finding 
an estimate for the number of bit operations required. In these estimates 
we shall neglect the time required for “bookkeeping” or logical steps other 
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than the bit operations; in general, it is the latter which takes by far the 
most time. 

Next, let’s examine the process of multiplying a k-bit integer by an 
£-bit integer in binary. For example, 


11101 
101 
11101 
111010 
11101 
101111001 


Suppose we use this familiar procedure to multiply a k-bit integer n 
by an é-bit integer m. We obtain at most £ rows (one row fewer for each 
0-bit in m), where each row consists of a copy of n shifted to the left 
a certain distance, i.e., with zeros put on at the end. Suppose there are 
£' < £ rows. Because we want to break down all our computations into bit 
operations, we cannot simultaneously add together all of the rows. Rather, 
we move down from the 2nd row to the é’-th row, adding each new row to 
the partial sum of all of the earlier rows. At each stage, we note how many 
places to the left the number n has been shifted to form the new row. We 
copy down the right-most bits of the partial sum, and then add to n the 
integer formed from the rest of the partial sum — as explained above, this 
takes k bit operations. In the above example 11101 x 1101, after adding the 
first two rows and obtaining 10010001, we copy down the last three bits 
001 and add the rest (i.e., 10010) to n = 11101. We finally take this sum 
10010 + 11101 = 101111 and append 001 to obtain 101111001, the sum of 
the £’ = 3 rows. 

This description shows that the multiplication task can be broken down 
into é’ — 1 additions, each taking k bit operations. Since ’—1 < ’ < @, 
this gives us the simple bound 


Time(multiply integer k bits long by integer @ bits long) < ké. 


We should make several observations about this derivation of an esti- 
mate for the number of bit operations needed to perform a binary multipli- 
cation. In the first place, as mentioned before, we counted only the number 
of bit operations. We neglected to include the time it takes to shift the 
bits in n a few places to the left, or the time it takes to copy down the 
right-most digits of the partial sum corresponding to the places through 
which n has been shifted to the left in the new row. In practice, the shifting 
and copying operations are fast in comparison with the large number of bit 
operations, so we can safely ignore them. In other words, we shall define a 
“time estimate” for an arithmetic task to be an upper bound for the number 
of bit operations, without including any consideration of shift operations, 
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changing registers (“copying”), memory access, etc. Note that this means 
that we would use the very same time estimate if we were multiplying a 
k-bit binary expansion of a fraction by an ¢-bit binary expansion; the only 
additional feature is that we must note the location of the point separating 
integer from fractional part and insert it correctly in the answer. 

In the second place, if we want to get a time estimate that is simple 
and convenient to work with, we should assume at various points that we’re 
in the “worst possible case.” For example, if the binary expansion of m has 
a lot of zeros, then @’ will be considerably less than £. That is, we could 
use the estimate Time(multiply k-bit integer by ¢-bit integer)< k- (number 
of 1-bits in m). However, it is usually not worth the improvement (i.e., 
lowering) in our time estimate to take this into account, because it is more 
useful to have a simple uniform estimate that depends only on the size of 
m and n and not on the particular bits that happen to occur. 

As a special case, we have: Time(multiply k-bit by k-bit)< k?. 

Finally, our estimate ké can be written in terms of n and m if we 
remember the above formula for the number of digits, from which it follows 
that k = [logon] +1< iA3 + Land £ = [loggm|+1< war +1. 

Example 6. Find an upper bound for the number of bit operations 
required to compute n!. 

Solution. We use the following procedure. First multiply 2 by 3, then 
the result by 4, then the result of that by 5,..., until you get to n. At the 
(j — 1)-th step (j = 2,3,...,n—1), you are multiplying j! by j + 1. Hence 
you have n—2 steps, where each step involves multiplying a partial product 
(i.e., 7!) by the next integer. The partial products will start to be very large. 
As a worst case estimate for the number of bits a partial product has, let’s 
take the number of binary digits in the very last product, namely, in n!. 

To find the number of bits in a product, we use the fact that the number 
of digits in the product of two numbers is either the sum of the number of 
digits in each factor or else 1 fewer than that sum (see the above discussion 
of multiplication). From this it follows that the product of n k-bit integers 
will have at most nk bits. Thus, if n is a k-bit integer — which implies that 
every integer less than n has at most k bits — then n! has at most nk bits. 

Hence, in each of the n—2 multiplications needed to compute n!, we are 
multiplying an integer with at most k bits (namely j+1) by an integer with 
at most nk bits (namely j!). This requires at most nk? bit operations. We 
must do this n — 2 times. So the total number of bit operations is bounded 
by (n — 2)nk? = n(n — 2)([loggn| + 1)?. Roughly speaking, the bound is 
approximately n?(logon)?. 

Example 7. Find an upper bound for the number of bit operations 
required to multiply a polynomial }* a;z* of degree < n; and a polynomial 
> bz? of degree < nz whose coefficients are positive integers < m. Suppose 
nz <n. 

Solution. To compute >>; poy a,b;, which is the coefficient of x” in the 
product polynomial (here 0 < v < ny + ng) requires at most ng + 1 multi- 
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plications and ne additions. The numbers being multiplied are bounded by 
m, and the numbers being added are each at most m?; but since we have 
to add the partial sum of up to nz such numbers we should take ngm? as 
our bound on the size of the numbers being added. Thus, in computing the 
coefficient of x” the number of bit operations required is at. most 


(nz + 1)(logom + 1)? + ng(loge(nem?) + 1). 


Since there are nj +n2+1 values of v, our time estimate for the polynomial 
multiplication is 


(ni + ng + 1)((n2 + 1)(loggm + 1)? + ne(logo(n2m?) + 1)). 


A slightly less rigorous bound is obtained by dropping the 1’s, thereby 
obtaining an expression having a more compact appearance: 


n2(ni + ne) ( m)? 


] : 
log 2 jog? + (log ng + 2log m)) 


Remark. If we set n = n; > ng and make the assumption that m > 16 
and m > ,/nz (which usually holds in practice), then the latter expression 
can be replaced by the much simpler 4n?(loggm)?. This example shows that 
there is generally no single “right answer” to the question of finding a bound 
on the time to execute a given task. One wants a function of the bounds 
on the imput data (in this problem, n;, n2 and m) which is fairly simple 
and at the same time gives an upper bound which for most input data is 
more-or-less the same order of magnitude as the number of bit operations 
that turns out to be required in practice. Thus, for example, in Example 7 
we would not want to replace our bound by, say, 4n?m, because for large 
m. this would give a time estimate many orders of magnitude too large. 

So far we have worked only with addition and multiplication of a k-bit 
and an é-bit integer. The other two arithmetic operations — subtraction and 
division — have the same time estimates as addition and multiplication, 
respectively: Time(subtract k-bit from &bit)< max(k, @); Time(divide k- 
bit by &bit)< kl. More precisely, to treat subtraction we must extend our 
definition of a bit operation to include the operation of subtracting a 0- 
or 1-bit from another 0- or 1-bit (with possibly a “borrow” of 1 from the 
previous column). See Exercise 8. 

To analyze division in binary, let us orient ourselves by looking at an 
illustration, such as the one in Example 3. Suppose k > @ (if k < @, then 
the division is trivial, i-e., the quotient is zero and the entire dividend is the 
remainder). Finding the quotient and remainder requires at most k — +1 
subtractions. Each subtraction requires @ or £+ 1 bit operations; but in the 
latter case we know that the left-most column of the difference will always 
be a 0-bit, so we can omit that bit operation (thinking of it as “bookkeeping” 
rather than calculating). We similarly ignore other administrative details, 
such as the time required to compare binary integers (i.e., take just enough 
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bits of the dividend so that the resulting integer is greater than the divisor), 
carry down digits, etc. So our estimate is simply (k — €+1)é, which is < ké. 

Example 8. Find an upper bound for the number of bit operations it 
takes to compute the binomial coefficient (”). 

Solution. Since Cy = cee without loss of generality we may as- 
sume that m < n/2. Let us use the following procedure to compute (7) = 
= n(n—1)(n—2) ---(n—m-+1)/(2:3---m). We have m—1 multiplications fol- 
lowed by m—1 divisions. In each case the maximum possible size of the first 
number in the multiplication or division is n(n — 1)(n—2)---(n—m+1) < 
n™, and a bound for the second number is n. Thus, by the same argument 
used in the solution to Example 6, we see that a bound for the total num- 
ber of bit operations is 2(m — 1)m([loggn] + 1)?, which for large m and n is 
essentially 2m?(log2n)?. 


We now discuss a very convenient notation for summarizing the situa- 
tion with time estimates. 

The big-O notation. Suppose that f(n) and g(n) are functions of the 
positive integers n which take positive (but not necessarily integer) values 
for all n. We say that f(n) = O(g(n)) (or simply that f = O(g)) if there 
exists a constant C’ such that f(n) is always less than C’-g(n). For example, 
2n? + 3n — 3 = O(n?) (namely, it is not hard to prove that the left side is 
always less than 3n?). 

Because we want to use the big-O notation in more general situations, 
we shall give a more all-encompassing definition. Namely, we shall allow f 
and g to be functions of several variables, and we shall not be concerned 
about the relation between f and g for small values of n. Just as in the 
study of limits as n —> oo in calculus, here also we shall only be concerned 
with large values of n. 

Definition. Let f(ni, n2,...,nr) and g(ni, n2,...,n,) be two func- 
tions whose domains are subsets of the set of all r-tuples of positive inte- 
gers. Suppose that there exist constants B and C’ such that whenever all 
of the n; are greater than B the two functions are defined and positive, 
and f(mi, n2,..-,Mr) < Cg(ni, n2,...,m,). In that case we say that f is 
bounded by g and we write f = O(g). 

Note that the “=” in the notation f = O(g) should be thought of as 
more like a “<” and the big-O should be thought of as meaning “some 
constant multiple.” 

Example 9. (a) Let f(n) be any polynomial of degree d whose leading 
coefficient is positive. Then it is easy to prove that f(n) = O(n). More 
generally, one can prove that f = O(g) in any situation when f(n)/g9(n) 
has a finite limit as n —> oo. 

(b) If € is any positive number, no matter how small, then one can 
prove that logn = O(n‘) (ie., for large n, the log function is smaller than 
any power function, no matter how small the power). In fact, this follows 
because limo 22 = 0, as one can prove using |’Hopital’s rule. 
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(c) If f(n) denotes the number k of binary digits in n, then it follows 
from the above formulas for k that f(n) = O(logn). Also notice that the 
same relation holds if f(n) denotes the number of base-b digits, where b is 
any fixed base. On the other hand, suppose that the base b is not kept fixed 
but is allowed to increase, and we let f(n,b) denote the number of base-b 
digits. Then we would want to use the relation f(n,b) = Oe : 

(d) We have: Time(n -m) = O(logn -logm), where the left hand side 
means the number of bit operations required to multiply n by m. 

(e) In Exercise 6, we can write: Time(n!) = O((nlogn)?). 

(f) In Exercise 7, we have: 


Time o> a,x" - > by) =O (rine (log m)? + log(min(n1, na)))). 


In our use, the functions f(n) or f(n1, ne,...,n-) will often stand 
for the amount of time it takes to perform an arithmetic task with the 
integer n or with the set of integers n1, n2,...,n, as input. We will want 
to obtain fairly simple-looking functions g(n) as our bounds. When we do 
this, however, we do not want to obtain functions g(n) which are much 
larger than necessary, since that would give an exaggerated impression of 
how long the task will take (although, from a strictly mathematical point 
of view, it is not incorrect to replace g(n) by any larger function in the 
relation f = O(g)). 

Roughly speaking, the relation f(n) = O(n) tells us that the function 
f increases approximately like the d-th power of the variable. For example, 
if d = 3, then it tells us that doubling n has the effect of increasing f by 
about a factor of 8. The relation f(n) = O(log?n) (we write log¢n to mean 
(logn)*) tells us that the function increases approximately like the d-th 
power of the number of binary digits in n. That is because, up to a constant 
multiple, the number of bits is approximately logn (namely, it is within 1 
of being log n/log 2 = 1.4427 logn). Thus, for example, if f(n) = O(log?n), 
then doubling the number of bits in n (which is, of course, a much more 
drastic increase in the size of n than merely doubling n) has the effect of 
increasing f by about a factor of 8. 

Note that to write f(n) = O(1) means that the function f is bounded 
by some constant. 

Remark. We have seen that, if we want to multiply two numbers of 
about the same size, we can use the estimate Time(k-bit-k-bit)=O(k?). It 
should be noted that much work has been done on increasing the speed 
of multiplying two k-bit integers when k is large. Using clever techniques 
of multiplication that are much more complicated than the grade-school 
method we have been using, mathematicians have been able to find a proce- 
dure for multiplying two k-bit integers that requires only O(k log k log log k) 
bit operations. This is better than O(k”), and even better than O(k!**) for 
any € > 0, no matter how small. However, in what follows we shall always 
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be content to use the rougher estimates above for the time needed for a 
multiplication. 

In general, when estimating the number of bit operations required to 
do something, the first step is to decide upon and write down an outline 
of a detailed procedure for performing the task. An explicit step-by-step 
procedure for doing calculations is called an algorithm. Of course, there 
may be many different algorithms for doing the same thing. One may choose 
to use the one that is easiest to write down, or one may choose to use the 
fastest one known, or else one may choose to compromise and make a trade- 
off between simplicity and speed. The algorithm used above for multiplying 
n by m is far from the fastest one known. But it is certainly a lot faster 
than repeated addition (adding n to itself m times). 

Example 10. Estimate the time required to convert a k-bit integer to 
its representation in the base 10. 

Solution. Let n be a k-bit integer written in binary. The conversion 
algorithm is as follows. Divide 10 = (1010)2 into n. The remainder — which 
will be one of the integers 0, 1, 10, 11, 100, 101, 110, 111, 1000, or 1001 
— will be the ones digit dg. Now replace n by the quotient and repeat the 
process, dividing that quotient by (1010)2, using the remainder as d, and 
the quotient as the next number into which to divide (1010)2. This process 
must be repeated a number of times equal to the number of decimal digits in 


n, which is [2235 | +1 = O(k). Then we’re done. (We might want to take our 


list of decimal digits, i.e., of remainders from all the divisions, and convert 
them to the more familiar notation by replacing 0, 1, 10, 11,...,1001 by 
0, 1, 2, 3,...,9, respectively.) How many bit operations does this all take? 
Well, we have O(k) divisions, each requiring O(4k) operations (dividing a 
number with at most k bits by the 4-bit number (1010)2). But O(4k) is the 
same as O(k) (constant factors don’t matter in the big-O notation), so we 
conclude that the total number of bit operations is O(k) -O(k) = O(k?). If 
we want to express this in terms of n rather than k, then since k = O(logn), 
we can write 


Time(convert n to decimal) = O(log?n). 


Example 11. Estimate the time required to convert a k-bit integer n 
to its representation in the base b, where b might be very large. 

Solution. Using the same algorithm as in Example 10, except dividing 
now by the £-bit integer b, we find that each division now takes longer (if 
£ is large), namely, O(k£) bit operations. How many times do we have to 
divide? Here notice that the number of base-b digits in n is O(k/£) (see 
Example 9(c)). Thus, the total number of bit operations required to do all 
of the necessary divisions is O(k/€) - O(ké) = O(k?). This turns out to be 
the same answer as in Example 10. That is, our estimate for the conversion 
time does not depend upon the base to which we’re converting (no matter 
how large it may be). This is because the greater time required to find each 
digit is offset by the fact that there are fewer digits to be found. 
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Example 12. Express in terms of the O-notation the time required to 
compute (a) n!, (b) (”) (see Examples 6 and 8). 


Solution. (a) O(n?log?n), (b) O(m?log?n). 


In concluding this section, we make a definition that is fundamental in 
computer science and the theory of algorithms. 

Definition. An algorithm to perform a computation involving integers 
N1, N2,...,N, Of ky, ko,...,k, bits, respectively, is said to be a polynomial 
time algorithm if there exist integers d,, do,...,d, such that the number of 
bit operations required to perform the algorithm is O(Ke ka... ker), 

Thus, the usual arithmetic operations +, —, x, + are examples of 
polynomial time algorithms; so is conversion from one base to another. 
On the other hand, computation of n! is not. (However, if one is satisfied 
with knowing n! to only a certain number of significant figures, e.g., its 
first 1000 binary digits, then one can obtain that by a polynomial time 
algorithm using Stirling’s approximation formula for n!.) 


Exercises 


1. Multiply (212)3 by (122)3. 

Divide (40122)7 by (126)z. 

3. Multiply the binary numbers 101101 and 11001, and divide 10011001 
by 1011. 

4. In the base 26, with digits A—Z representing 0—25, (a) multiply YES 
by NO, and (b) divide JQVXHJ by WE. 

5. Write e = 2.7182818--- (a) in binary 15 places out to the right of the 
point, and (b) to the base 26 out 3 places beyond the point. 

6. By a “pure repeating” fraction of “period” f in the base b, we mean a 
number between 0 and 1 whose base-b digits to the right of the point 
repeat in blocks of f. For example, 1/3 is pure repeating of period 1 
and 1/7 is pure repeating of period 6 in the decimal system. Prove that 
a fraction c/d (in lowest terms) between 0 and 1 is pure repeating of 
period f in the base 6 if and only if bf — 1 is a multiple of d. 

7. (a) The “hexadecimal” system means b = 16 with the letters A-F 

representing the tenth through fifteenth digits, respectively. Divide 
(131B6C3)ig by (1A2F)16. 
(b) Explain how to convert back and forth between binary and hex- 
adecimal representations of an integer, and why the time required is 
far less than the general estimate given in Example 11 for converting 
from binary to base-b. 

8. Describe a subtraction-type bit operation in the same way as was done 
for an addition-type bit operation in the text (the list of five alterna- 
tives). 


ad 
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(a) Using the big-O notation, estimate in terms of a simple function of 
n the number of bit operations required to compute 3” in binary. 

(b) Do the same for n” 

Estimate in terms of a simple function of n and N the number of bit 
operations required to compute N” 

The following formula holds for the sum of the first n perfect squares: 


n 


Le =n(n+1)(2n + 1)/6. 


(a) Using the big-O notation, estimate (in terms of n) the number of 
bit operations required to perform the computations in the left side of 
this equality. 

(b) Estimate the number of bit operations required to perform the 
computations on the right in this equality. 

Using the big-0 notation, estimate the number of bit operations re- 
quired to multiply an r x n-matrix by an n x s-matrix, where all matrix 
entries are < m. 

The object of this exercise is to estimate as a function of n the number 
of bit operations required to compute the product of all prime num- 
bers less than n. Here we suppose that we have already compiled an 
extremely long list containing all primes up to n. 

(a) According to the Prime Number Theorem, the number of primes 
less than or equal to n (this is denoted z(n)) is asymptotic to n/logn. 
This canis that the following limit approaches 1 as n —> oo: 

lim = “hog ogn: Using the Prime Number Theorem, estimate the number 
of binary digits in the product of all primes less than n. 

(b) Find a bound for the number of bit operations in one of the mul- 
tiplications that’s required in the computation of this product. 

(c) Estimate the number of bit operations required to compute the 
product of all prime numbers less than n. 

(a) Suppose you want to test if a large odd number n is a prime by 
trial division by all odd numbers < ,/n. Estimate the number of bit 
operations this will take. 

(b) In part (a), suppose you have a list of prime numbers up to ,/n, 
and you test primality by trial division by those primes (i.e., no longer 
running through all odd numbers). Give a time estimate in this case. 
Use the Prime Number Theorem. 

Estimate the time required to test if n is divisible by a prime < m. 
Suppose that you have a list of all primes < m, and again use the 
Prime Number Theorem. 

Let n be a very large integer written in binary. Find a simple algorithm 
that computes [,/n] in O(log?) bit operations (here [ ] denotes the 
greatest integer function). 
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2 Divisibility and the Euclidean algorithm 


oe fe: 


Divisors and divisibility. Given integers a and b, we say that a divides b (or 
“b is divisible by a”) and we write a|b if there exists an integer d such that 
b = ad. In that case we call a a divisor of b. Every integer b > 1 has at least 
two positive divisors: 1 and b. By a proper divisor of b we mean a positive 
divisor not equal to 0 itself, and by a nontrivial divisor of b we mean a 
positive divisor not equal to 1 or b. A prime number, by definition, is an 
integer greater than one which has no positive divisors other than 1 and 
itself; a number is called composite if it has at least one nontrivial divisor. 
The following properties of divisibility are easy to verify directly from the 
definition: 

1. If alb and c is any integer, then albc. 

2. If a|b and Odjc, then alc. 

3. If alb and alc, then alb+c. 

If p is a prime number and a is a nonnegative integer, then we use the 
notation p%||b to mean that p® is the highest power of p dividing }, i.e., 
that p%|b and p**! Jb. In that case we say that p* exactly divides b. 

The Fundamental Theorem of Arithmetic states that any natural num- 
ber n can be written uniquely (except for the order of factors) as a product 
of prime numbers. It is customary to write this factorization as a product of 
distinct primes to the appropriate powers, listing the primes in increasing 
order. For example, 4200 = 23 .3- 52-7. 

Two consequences of the Fundamental Theorem (actually, equivalent 
assertions) are the following properties of divisibility: 

4. Ifa prime number p divides ab, then either pla or p\b. 
5. If mla and nla, and if m and n have no divisors greater than 1 in 
common, then mnla. 

Another consequence of unique factorization is that it gives a system- 
atic method for finding all divisors of n once n is written as a product of 
prime powers. Namely, any divisor d of n must be a product of the same 
primes raised to powers not exceeding the power that exactly divides n. 
That is, if p*||n, then p*||d for some @ satisfying 0 < 6 < a. To find the 
divisors of 4200, for example, one takes 2 to the 0-, 1-, 2- or 3-power, mul- 
tiplied by 3 to the 0- or 1-power, times 5 to the 0-, 1- or 2-power, times 
7 to the 0- or 1- power. The number of possible divisors is thus the prod- 
uct of the number of possibilities for each prime power, which, in turn, is 
a+1. That is, a number n = p{'p$? --- p20 has (a1 +1)(a2+1)--- (a, +1) 
different divisors. For example, there are 48 divisors of 4200. 

Given two integers a and b, not both zero, the greatest common. divisor 
of a and b, denoted g.c.d.(a,b) (or sometimes simply (a, b)) is the largest 
integer d dividing both a and b. It is not hard to show that another equiv- 
alent definition of g.c.d.(a, b) is the following: it is the only positive integer 
d which divides a and 6 and is divisible by any other number which divides 
both a and b. 
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If you happen to have the prime factorization of a and b in front of you, 
then it’s very easy to write down g.c.d.(a, b). Simply take all primes which 
occur in both factorizations raised to the minimum of the two exponents. 
For example, comparing the factorization 10780 = 2? -5- 72-11 with the 
above factorization of 4200, we see that g.c.d.(4200, 10780) = 2-5-7 = 140. 

One also occasionally uses the least common multiple of a and b, de- 
noted I.c.m.(a, b). It is the smallest positive integer that both a and b divide. 
If you have the factorization of a and 6, then you can get I.c.m.(a, b) by tak- 
ing all of the primes which occur in either factorization raised to the mazi- 
mum of the exponents. It is easy to prove that I.c.m.(a, b) = |ab|/g.c.d.(a, b). 

The Euclidean algorithm. If you’re working with very large numbers, 
it’s likely that you won’t know their prime factorizations. In fact, an impor- 
tant area of research in number theory is the search for quicker methods of 
factoring large integers. Fortunately, there’s a relatively quick way to find 
g.c.d.(a, b) even when you have no idea of the prime factors of a or b. It’s 
called the Euclidean algorithm. 

The Euclidean algorithm works as follows. To find g.c.d.(a,b), where 
a > b, we first divide b into a and write down the quotient q, and the 
remainder r}: a = q,b+1,. Next, we perform a second division with b 
playing the role of a and r,; playing the role of b: b = gor; + To. Next, 
we divide ra into r1: r1 = g3r2 +73. We continue in this way, each time 
dividing the last remainder into the second-to-last remainder, obtaining 
a new quotient and remainder. When we finally obtain a remainder that 
divides the previous remainder, we are done: that final nonzero remainder 
is the greatest common divisor of a and b. 

Example 1. Find g.c.d.(1547, 560). 

Solution: 

1547 = 2- 560 + 427 
560 = 1 - 427 +.133 
427 = 3-133 + 28 
133 = 4-284 21 


28 = 1-21+7. 


Since 7|21, we are done: g.c.d.(1547, 560) = 7. 
Proposition 1.2.1. The Euclidean algorithm always gives the greatest 
common divisor in a finite number of steps. In addition, fora >b 


Time(finding g.c.d.(a,b) by the Euclidean algorithm) = O(log*(a)). 


Proof. The proof of the first assertion is given in detail in many ele- 
mentary number theory textbooks, so we merely summarize the argument. 
First, it is easy to see that the remainders are strictly decreasing from one 
step to the next, and so must eventually reach zero. To see that the last 
remainder is the g.c.d., use the second definition of the g.c.d. That is, if any 
number divides both a and 8, it must divide r,, and then, since it divides 
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b and rj, it must divide rz, and so on, until you finally conclude that it 
must divide the last nonzero remainder. On the other hand, working from 
the last row up, one quickly sees that the last remainder must divide all of 
the previous remainders and also a and b. Thus, it is the g.c.d., because the 
g.c.d. is the only number which divides both a and 6 and at the same time 
is divisible by any other number which divides a and b. 

We next prove the time estimate. The main question that must be 
resolved is how many divisions we’re performing. We claim that the re- 
mainders are not only decreasing, but they’re decreasing rather rapidly. 
More precisely: 

Claim. T342.< 5rj. 

Proof of claim. First, if rj41 < ST, then immediately we have rj2 < 
Tj41 < aE So suppose that rj41 > ari. In that case the next division 
gives: rj; = 1-17j41 +7j42, and so rj42 =7j — T7541 < ar 5, as claimed. 

We now return to the proof of the time estimate. Since every two steps 
must result in cutting the size of the remainder at least in half, and since 
the remainder never gets below 1, it follows that there are at most 2- [logza] 
divisions. This is O(log a). Each division involves numbers no larger than 
a, and so takes O(log*a) bit operations. Thus, the total time required is 
O(log a) -O(log?a) = O(log*a). This concludes the proof of the proposition. 

Remark. If one makes a more careful analysis of the number of bit 
operations, taking into account the decreasing size of the numbers in the 
successive divisions, one can improve the time estimate for the Euclidean 
algorithm to O(log’a). 

Proposition 1.2.2. Let d = g.c.d.(a,b), where a > b. Then there exist 
integers u and v such that d = ua-+ bv. In other words, the g.c.d. of two 
numbers can be expressed as a linear combination of the numbers with in- 
teger coefficients. In addition, finding the integers u and v can be done in 
O(loga) bit operations. 

Outline of proof. The procedure is to use the sequence of equalities in 
the Euclidean algorithm from the bottom up, at each stage writing d in 
terms of earlier and earlier remainders, until finally you get to a and b. At 
each stage you need a multiplication and an addition or subtraction. So it 
is easy to see that the number of bit operations is once again O(log?a). 

Example 1 (continued). To express 7 as a linear combination of 1547 
and 560, we successively compute: 


7 = 28 —1-21 = 28 — 1(133 — 4-28) 
= 5-28 —1-133 = 5(427 — 3-133) — 1-133 
= 5-427 — 16-133 = 5- 427 — 16(560 — 1 - 427) 
= 21-427 — 16 - 560 = 21(1547 — 2-560) — 16 - 560 
= 21-1547 — 58 - 560. 


Definition. We say that two integers a and b are relatively prime (or 
that “a is prime to b”) if g.c.d.(a,b) = 1, ie., if they have no common 
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divisor greater than 1. 

Corollary. If a > 6 are relatively prime integers, then 1 can be written as 
an integer linear combination of a and b in polynomial time, more precisely, 
in O(log?a) bit operations. 

Definition. Let n be a positive integer. The Euler phi-function y(n) is 
defined to be the number of nonnegative integers b less than n which are 
prime to n: 


y(n) Z,l{0 <b<n|g.c.d.(b,n) = 1}1. 


It is easy to see that (1) = 1 and that y(p) = p— 1 for any prime p. 
We can also see that for any prime power 


p(p") = p* — pt! = p*(1- =), 
Dp 
To see this, it suffices to note that the numbers from 0 to p* — 1 which are 
not prime to p® are precisely those that are divisible by p, and there are 
p*—} of those. 

In the next section we shall show that the Euler y-function has a 
“multiplicative property” that enables us to evaluate y(n) quickly, provided 
that we have the prime factorization of n. Namely, if n is written as a 
product of powers of distinct primes p% then it turns out that y(n) is equal 
to the product of the y(p%). 


Exercises 


1. (a) Prove the following properties of the relation p%||b: (i) if p*||a and 
p?|\b, then p*+4|\ab; (ii) if p*||a, p*||b and a < G, then p%||a +b. 
(b) Find a counterexample to the assertion that, if p%||a and p%||b, 
then p*||a + b. 

2. How many divisors does 945 have? List them all. 

3. Let n be a positive odd integer. 
(a) Prove that there is a 1-to-1 correspondence between the divisors 
of n which are < ,/n and those that are > ./n. (This part does not 
require n to be odd.) 
(b) Prove that there is a 1-to-1 correspondence between all of the divi- 
sors of n which are > ,/n and all the ways of writing n as a difference 
s? — ¢? of two squares of nonnegative integers. (For example, 15 has 
two divisors 6, 15 that are > /15, and 15 = 4? — 1? = 8? — 7?,) 
(c) List all of the ways of writing 945 as a difference of two squares of 
nonnegative integers. 

4. (a) Show that the power of a prime p which exactly divides n! is equal 
to [n/p] + [n/p*] + [n/p?] +--+. (Notice that this is a finite sum.) 
(b) Find the power of each prime 2, 3, 5, 7 that exactly divides 100!, 
and then write out the entire prime factorization of 100!. 
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(c) Let S,(n) denote the sum of the base-b digits in n. Prove that the 
exact power of 2 that divides n! is equal to n — S2(n). Find and prove a 
similar formula for the exact power of an arbitrary prime p that divides 
nl. 

Find d = g.c.d.(360, 294) in two ways: (a) by finding the prime factor- 
ization of each number, and from that finding the prime factorization 
of d; and (b) by means of the Euclidean algorithm. 

For each of the following pairs of integers, find their greatest common 
divisor using the Euclidean algorithm, and express it as an integer 
linear combination of the two numbers: 

(a) 26, 19; (b) 187, 34; (c) 841, 160; (d) 2613, 2171. 

One can often speed up the Euclidean algorithm slightly by allowing 
divisions with negative remainders, i.e., 7; = 9;427j+1 —Tj+2 a8 well as 
T; = Qj+27j3+1 +7342, whichever gives the smallest rj;+2. In this way we 
always have rj42 < STi 41. Do the four examples in Exercise 6 using 
this method. 

(a) Prove that the following algorithm finds d = g.c.d.(a, b) in finitely 
many steps. First note that g.c.d.(a, b) = g.c.d.(|a|, |b|), so that without 
loss of generality we may suppose that a and 6 are positive. If a and 
b are both even, set d = 2d’ with d’ = g.c.d.(a/2, b/2). If one of 
the two is odd and the other (say 6) is even, then set d = d’ with 
d' = g.c.d.(a, b/2). If both are odd and they are unequal, say a > b, 
then set d = d’ with d' = g.c.d.(a — b, b). Finally, if a = b, then set 
d =a. Repeat this process until you arrive at the last case (when the 
two integers are equal). 

(b) Use the algorithm in part (a) to find g.c.d.(2613, 2171) working in 
binary, i.e., find 


g.c.d.((101000110101)2, (100001111011)2) 


(c) Prove that the algorithm in part (a) takes only O(log?a) bit oper- 
ations (where a > b). 
(d) Why is this algorithm in the form presented above not necessarily 
preferable to the Euclidean algorithm? 
Suppose that a is much greater than b. Find a big-O time estimate for 
g.c.d.(a, b) that is better than O(log%a). 
The purpose of this problem is to find a “best possible” estimate for the 
number of divisions required in the Euclidean algorithm. The Fibonacci 
numbers can be defined by the rule f; = 1, fo = 1, fn4i = fn + 
fn-1 for n > 2, or, equivalently, by means of the matrix equation 
Ga fii ) - (; a 

f n f n-1 1 0 . 
(a) Suppose that a > b > 0, and it takes k divisions to find g.c.d.(a, b) 
by the Euclidean algorithm (the standard version given in the text, 
with nonnegative remainders). Show that a > fi+2- 
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(b) Using the matrix definition of f,, prove that 


a” —Q'” 1+ V5 , 1-¥v5 
fn = ——— where a= : a= : 
V5 2 
(c) Using parts (a) and (b), find an upper bound for k in terms of a. 
Compare with the estimate that follows from the proof of Proposition 
1.2.1. 
The purpose of this problem is to find a general estimate for the time 
required to compute g.c.d.(a, b) (where a > b) that is better than the 
estimate in Proposition I.2.1. 
(a) Show that the number of bit operations required to perform a 
divison a = gb +r is O((logb)(1 + logq)). 
(b) Applying part (a) to all of the O(log a) divisions of the form r;_1 = 
g:+17i + Ti+1, derive the time estimate O((log b)(Iog a)). 
Consider polynomials with real coefficients. (This problem will apply 
as well to polynomials with coefficients in any field.) If f and g are two 
polynomials, we say that f|g if there is a polynomial h such that g = 
fh. We define g.c.d.(f,g) in essentially the same way as for integers, 
namely, as a polynomial of greatest degree which divides both f and 
g. The polynomial g.c.d.(f,g) defined in this way is not unique, since 
we can get another polynomial of the same degree by multiplying by 
any nonzero constant. However, we can make it unique by requiring 
that the g.c.d. polynomial be monic, i.e., have leading coefficient 1. 
We say that f and g are relatively prime polynomials if their g.c.d. is 
the “constant polynomial” 1. Devise a procedure for finding g.c.d.’s of 
polynomials — namely, a Euclidean algorithm for polynomials — which 
is completely analogous to the Euclidean algorithm for integers, and 
use it to find (a) g.c.d.(z4 + 2? +1, 2? +1), and (b) g.c.d.(a* — 423 + 
6x? — 4x +1, x3 — x? + x —1). In each case find polynomials u(x) and 
v(x) such that the g.c.d. is expressed as u(x) f(x) + v(x)9(z). 
From algebra we know that a polynomial has a multiple root if and 
only if it has a common factor with its derivative; in that case the 
multiple roots of f(x) are the roots of g.c.d.(f, f’). Find the multiple 
roots of the polynomial xz* — 2x3 — x? + 22 +1. 
(Before doing this exercise, recall how to do arithmetic with complex 
numbers. Remember that, since (a+bi)(a—bi) is the real number a? +b? 
one can divide by writing (c+ di)/(a+bi) = (c+di)(a—bi)/(a? +b?).) 
The Gaussian integers are the complex numbers whose real and imag- 
inary parts are integers. In the complex plane they are the vertices of 
the squares that make up the grid. If a and £8 are two Gaussian inte- 
gers, we say that a|@ if there is a Guassian integer y such that 3 = ay. 
We define g.c.d.(a, 3) to be a Gaussian integer 6 of maximum absolute 
value which divides both a and £ (recall that the absolute value |6| 
is its distance from 0, i.e., the square root of the sum of the squares 
of its real and imaginary parts). The g.c.d. is not unique, because we 
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can multiply it by +1 or +i and obtain another 6 of the same absolute 
value which also divides a and (. This gives four possibilities. In what 
follows we will consider any one of those four possibilities to be “the” 
g.c.d. 

Notice that any complex number can be written as a Gaussian inte- 
ger plus a complex number whose real and imaginary parts are each 
between 5 and -}. Show that this means that we can divide one 
Gaussian integer a by another one @ and obtain a Gaussian integer 
quotient along with a remainder which is less than @ in absolute value. 
Use this fact to devise a Euclidean algorithm which finds the g.c.d. 
of two Gaussian integers. Use this Euclidean algorithm to find (a) 
g.c.d.(5 + 6i, 3 — 22), and (b) g.c.d.(7 — 111, 8 — 192). In each case ex- 
press the g.c.d. as a linear combination of the form ua + vf, where u 
and v are Gaussian integers. 

The last problem can be applied to obtain an efficient way to write 
certain large primes as a sum of two squares. For example, suppose 
that p is a prime which divides a number of the form b® + 1. We want 
to write p in the form p = c? + d? for some integers c and d. This is 
equivalent to finding a nontrivial Gaussian integer factor of p, because 
c? + d* = (c+ di)(c — di). We can proceed as follows. Notice that 


b&+1=(b7?+1)(b4-b? +1), and bt-b?4+1=(b?-1)? +07. 


By property 4 of divisibility, the prime p must divide one of the two 
factors on the right of the first equality. If p|b? + 1 = (b+ 7)(b — 4), 
then you will find that g.c.d.(p, b+) will give you the desired c+ di. If 
plbt —b? +1 = ((b? — 1) +i) ((b? — 1) — bi), then g.c.d.(p, (b? — 1) +i) 
will give you your c+ di. 

Example. The prime 12277 divides the second factor in the product 
206 + 1 = (207 + 1)(204* — 20? + 1). So we find g.c.d.(12277, 399 + 203): 


12277 = (31 — 24)(399 + 201) + (—132 + 178i), 
399 + 201 = (—1 — i)(—132 + 178i) + (89 + 661), 
—132 + 178i = (2i)(89 + 661), 


so that the g.c.d. is 89 + 664, ie., 12277 = 89? + 662 

(a) Using the fact that 19° + 1 = 2-13?-181-769 and the Euclidean al- 
gorithm for the Gaussian integers, express 769 as a sum of two squares. 
(b) Similarly, express the prime 3877, which divides 15° + 1, as a sum 
of two squares. 

(c) Express the prime 38737, which divides 2° + 1, as a sum of two 
squares. 
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3 Congruences 


Basic properties. Given three integers a, b and m, we say that “a is con- 

gruent to b modulo m” and write a = b mod m, if the difference a — 6 is 

divisible by m. m is called the modulus of the congruence. The following 
properties are easily proved directly from the definition: 

1. (i) a=a mod m,; (ii) a = b mod m if and only if b = a mod m; (iii) 
if a = b mod m and b = c mod m, then a = c mod m. For fixed m, 
(i)-(iii) mean that congruence modulo m is an equivalence relation. 

2. For fixed m, each equivalence class with respect to congruence modulo 
m has one and only one representative between 0 and m — 1. (This 
is just another way of saying that any integer is congruent modulo 
m to one and only one integer between 0 and m — 1.) The set of 
equivalence classes (called residue classes) will be denoted Z/mZ. Any 
set of representatives for the residue classes is called a complete set of 
residues modulo m. 

3. If a= b mod m and c = d mod m, then atc = b+d mod m and 
ac = bd mod m. In other words, congruences (with the same modu- 
lus) can be added, subtracted, or multiplied. One says that the set of 
equivalence classes Z/mZ is a commutative ring, i.e., residue classes 
can be added, subtracted or multiplied (with the result not depend- 
ing on which representatives of the equivalence classes were used), and 
these operations satisfy the familiar axioms (associativity, commuta- 
tivity, additive inverse, etc.). 

4. Ifa=bmodm, then a= b mod d for any divisor d|m. 

5. Ifa=b mod m,a=b mod n, and m and n are relatively prime, then 
a =b mod man. (See Property 5 of divisibility in § 1.2.) 

Proposition 1.3.1. The elements of Z/mZ which have multiplicative 
inverses are those which are relatively prime to m, i.e., the numbers a for 
which there exists 6 with ab = 1 mod m are precisely those a _ for 
which g.c.d.(a,m) = 1. In addition, if g.c.d.(a,m) = 1, then such an inverse 
b can be found in O(log?m) bit operations. 

Proof. First, if d = g.c.d.(a,m) were greater than 1, we could not have 
ab = 1 mod m for any b, because that would imply that d divides ab — 1 
and hence divides 1. Conversely, if g.c.d.(a,m) = 1, then by Property 2 
above we may suppose that a < m. Then, by Proposition I.2.2, there exist 
integers u and v that can be found in O(log?m) bit operations for which 
ua + um = 1. Choosing b = u, we see that m|1 — ua = 1 — ab, as desired. 

Remark. If g.c.d.(a,m) = 1, then by negative powers a~" mod m we 
mean the n-th power of the inverse residue class, i.e., it is represented by 
the n-th power of any integer b for which ab = 1 mod m. 

Example 1. Find 160-1 mod 841, i.e., the inverse of 160 modulo 841. 

Solution. By Exercise 6(c) of the last section, the answer is 205. 


Corollary 1. [f p is a prime number, then every nonzero residue class 
has a multiplicative inverse which can be found in O(log*p) bit operations. 
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We say that the ring Z/pZ is a field. We often denote this field Fp, the 
“field of p elements.” 


Corollary 2. Suppose we want to solve a linear congruence ax = 
b mod m, where without loss of generality we may assume that 0 < a,b <_m. 
First, if g.c.d.(a,m) = 1, then there is a solution xo which can be found in 
O(log?m) bit operations, and all solutions are of the form x = x9 +mn for 
n an integer. Neat, suppose that d = g.c.d.(a,m). There exists a solution if 
and only if d|b, and in that case our congruence is equivalent (in the sense 
of having the same solutions) to the congruence a'r = b' mod m} where 
a’ =a/d, b' = b/d, m’ =m/d. 

The first corollary is just a special case of Proposition I.3.1. The second 
corollary is easy to prove from Proposition I.3.1 and the definitions. As 
in the case of the familiar linear equations with real numbers, to solve 
linear equations in Z/mZ one multiplies both sides of the equation by the 
multiplicative inverse of the coefficient of the unknown. 


In general, when working modulo m, the analogy of “nonzero” is often 
“prime to m.” We saw above that, like equations, congruences can be added, 
subtracted and multiplied (see Property 3 of congruences). They can also 
be divided, provided that the “denominator” is prime to m. 

Corollary 3. If a = b mod m and c=d mod m, and if g.c.d.(c,m) = 1 
(in which case also g.c.d.(d,m) = 1), then ac~1 = bd~! mod m (where c7} 
and d~} denote any integers which are inverse to c and d modulo m). 

To prove Corollary 3, we have c(ac~1 — bd~!) = (acc! — bdd-') = 
a—b=0 mod m, and since m has no common factor with c, it follows that 
m must divide ac~! — bd! 


Proposition 1.3.2 (Fermat’s Little Theorem). Let p be a prime. Any 
integer a satisfies a? = a mod p, and any integer a not divisible by p 
satisfies a?—1 = 1 mod p. 

Proof. First suppose that p Ja. We first claim that the integers 
Oa, 1a, 2a, 3a, ...,(p—1)a are a complete set of residues modulo p. To see 
this, we observe that otherwise two of them, say ia and ja, would have to 
be in the same residue class, i.e., ia = ja mod p. But this would mean that 
p\(i — j)a, and since a is not divisible by p, we would have pli — j. Since i 
and j are both less than p, the only way this can happen is if i = j. We 
conclude that the integers a, 2a,...,(p—1)a are simply a rearrangement of 
1, 2,...,p—1 when considered modulo p. Thus, it follows that the product 
of the numbers in the first sequence is congruent modulo p to the product 
of the numbers in the second sequence, i.e., a?~1(p — 1)! = (p — 1)! mod p. 
Thus, p|((p — 1)!(a?-! — 1)). Since (p — 1)! is not divisible by p, we have 
p|(a?-1 — 1), as required. Finally, if we multiply both sides of the congru- 
ence a?-! = 1 mod p by a, we get the first congruence in the statement of 
the proposition in the case when a is not divisible by p. But if a is divisible 
by p, then this congruence a? = a mod p is trivial, since both sides are 
= 0 mod p. This concludes the proof of the proposition. 
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Corollary. If a is not divisible by p and if n = m mod (p — 1), then 
a” =a™ mod p. 

Proof of corollary. Say n > m. Since p — 1|n — m, we have n = m+ 
c(p—1) for some positive integer c. Then multiplying the congruence a?-! = 
1 mod m by itself c times and then by a” = a™ mod p gives the desired 
result: a” = a™ mod p. 

Example 2. Find the last base—7 digit in 21000000 

Solution. Let p = 7. Since 1000000 leaves a remainder of 4 when divided 
by p—1=6, we have 21000000 — 94 — 16 = 2 mod 7, so 2 is the answer. 

Proposition I.3.3 (Chinese Remainder Theorem). Suppose that we want 
to solve a system of congruences to different moduli: 


2 =a, mod m, 
L = a2 mod mz, 


x2 =a, mod m,. 


Suppose that each pair of moduli is relatively prime: g.c.d.(m;, m;) = 1 
fori # j. Then there exists a simultaneous solution x to all of the con- 
gruences, and any two solutions are congruent to one another modulo 
M= MyM2°++Mr. 

Proof. First we prove uniqueness modulo M (the last sentence). Sup- 
pose that z’ and x” are two solutions. Let z = 2’ — x’! Then z must be 
congruent to 0 modulo each m;, and hence modulo M (by Property 5 at 
the beginning of the section). We next show how to construct a solution z. 

Define M; = M/m; to be the product of all of the moduli except for the 
i-th. Clearly g.c.d.(m;, M;) = 1, and so there is an integer N; (which can be 
found by means of the Euclidean algorithm) such that M;N; = 1 mod m,. 
Now set z = )); a;M;,N;. Then for each i we see that the terms in the sum 
other than the i-th term are all divisible by m;, because m;|M; whenever 
j #1. Thus, for each i we have: x = a;M;N; = a; mod m,, as desired. 

Corollary. The Euler phi-function is “multiplicative? meaning that 
p(mn) = p(m)y(n) whenever g.c.d.(m,n) = 1. 

Proof of corollary. We must count the number of integers between 0 
and mn — 1 which have no common factor with mn. For each j in that 
range, let 7, be its least nonnegative residue modulo m (i.e., 0 < j1 <_m 
and j = j; mod m) and let jo be its least nonnegative residue modulo n 
(i.e., 0 < jo <n and j = je mod n). It follows from the Chinese Remainder 
Theorem that for each pair 71, j2 there is one and only one 7 between 0 and 
mn—1 for which 7 = 7; mod m, j = jo mod n. Notice that j has no common 
factor with mn if and only if it has no common factor with m — which is 
equivalent to 7; having no common factor with m — and it has no common 
factor with n — which is equivalent to j2 having no common factor with 
n. Thus, the j’s which we must count are in 1-to-1 correspondence with 
the pairs ji, j2 for which 0 < j, < m, g.cd.(ji, m) = 1,0 < jo <n, 
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g.c.d.(j2, n) = 1. The number of possible j;’s is y(m), and the number of 
possible j2’s is y(n). So the number of pairs is y(m)y(n). This proves the 
corollary. 

Since every n can be written as a product of prime powers, each of 
which has no common factors with the others, and since we know the for- 
mula y(p*) = p*(1 — rae we can use the corollary to conclude that for 


T= Py! Pg? Pr” 
1 1 1 1 
n)= s(1-=) g(1-—)-- e(1-—) =n] J (1--). 
y(n) Py} D1 P2 po Pr Pr p 


As a consequence of the formula for y(n), we have the following fact, 
which we shall refer to later when discussing the RSA system of public key 
cryptography. 

Proposition 1.3.4. Suppose that n is known to be the product of two 
distinct primes. Then knowledge of the two primes p, q is equivalent to 
knowledge of p(n). More precisely, one can compute y(n) from p, q in 
O(log n) bit operations, and one can compute p and q from n and y(n) in 
O(log?n) bit operations. 

Proof. The proposition is trivial if n is even, because in that case we 
immediately know p = 2, gq = n/2, and y(n) = n/2 — 1; so we suppose 
that n is odd. By the multiplicativity of y, for n = pq we have y(n) = 
(p—1)(q—1) = n+1-(p+q). Thus, y(n) can be found from p and q using 
one addition and one subtraction. Conversely, suppose that we know n and 
y(n), but not p or g. We regard p, g as unknowns. We know their product 
n and also their sum, since p+ q =n+1-— y(n). Call the latter expression 
2b (notice that it is even). But two numbers whose sum is 2b and whose 
product is n must be the roots of the quadratic equation x? — 2br +n = 0. 
Thus, p and q equal b + Vb? —n. The most time-consuming step is the 
evaluation of the square root, and by Exercise 16 of §I.1 this can be done 
in O(log?n) bit operations. This completes the proof. 


We next discuss a generalization of Fermat’s Little Theorem, due to 
Euler. 

Proposition 1.3.5. If g.c.d.(a, m) = 1, then a?(™) = 1 mod m. 

Proof. We first prove the proposition in the case when m is a prime 
power: m = p% We use induction on a. The case a = 1 is precisely Fermat’s 
Little Theorem (Proposition 1.3.2). Suppose that a > 2, and the formula 
holds for the (a — 1)-st power of p. Then i an ee p*—'b for some 
integer b, by the induction assumption. Raising both sides of this equation 
to the p-th power and using the fact that the binomial coefficients in (1+<)? 
are each divisible by p (except in the 1 and 2? at the ends), we see that 
aP*-P** is equal to 1 plus a sum with each term divisible by p% That is, 
a?(P") — 1 is divisible by p%, as desired. This proves the proposition for 
prime powers. 
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Finally, by the multiplicativity of y, it is clear that a?(™) = 1 mod p% 
(simply raise both sides of a?°") = 1 mod p“ to the appropriate power). 
Since this is true for each p%||m, and since the different prime powers have 
no common factors with one another, it follows by Property 5 of congruences 
that a?(™) = 1 mod m. 

Corollary. If g.c.d.(a, m) = 1 and ifn’ is the least nonnegative residue 
of n modulo y(m), then a” = a™ mod m. 

This corollary is proved in the same way as the corollary of Proposition 
1.3.2. 

Remark. As the proof of Proposition I.3.5 makes clear, there’s a smaller 
power of a which is guaranteed to give 1 mod m: the least common multiple 
of the powers that give 1 mod p® for each p®||m. For example, al? = 
1 mod 105 for a prime to 105, because 12 is a multiple of 3— 1, 5 —1 and 
7—1. Note that y(105) = 48. Here is another example: 

Example 3. Compute 2109090 mod 77. 

Solution. Because 30 is the least common multiple of y(7) = 6 and 
(11) = 10, by the above remark we have 23° = 1 mod 77. Since 1000000 = 
30-33333+ 10, it follows that 21000000 = 210 = 93 mod 77. A second method 
of solution would be first to compute 2100099 mod 7 (since 1000000 = 
6 - 166666 + 4, this is 24 = 2) and also 2100909 mod 11 (since 1000000 is 
divisible by 11—1, this is 1), and then use the Chinese Remainder Theorem 
to find an x between 0 and 76 which is = 2 mod 7 and = 1 mod 11. 


Modular exponentiation by the repeated squaring method. A ba- 
sic computation one often encounters in modular arithmetic is finding 
b" mod m (i.e., finding the least nonnegative residue) when both m and 
n are very large. There is a clever way of doing this that is much quicker 
than repeated multiplication of b by itself. In what follows we shall assume 
that b < m, and that whenever we perform a multiplication we then im- 
mediately reduce mod m (i.e., replace the product by its least nonnegative 
residue). In that way we never encounter any integers greater than m? We 
now describe the algorithm. 

Use a to denote the partial product. When we’re done, we'll have a 
equal to the least nonnegative residue of 6" mod m. We start out with 
a = 1. Let no, m1,...,n%~-1 denote the binary digits of n, ie., n = no + 
Qn; + 4ng +--+ + 2*-1n,_1. Each nj; is 0 or 1. If no = 1, change a to b 
(otherwise keep a = 1). Then square b, and set b; = b? mod m (i.e., by is 
the least nonnegative residue of b? mod m). If ny = 1, multiply a by by 
(and reduce mod m); otherwise keep a unchanged. Next square b;, and set 
by = b? mod m. If ng = 1, multiply a by b2; otherwise keep a unchanged. 
Continue in this way. You see that in the j-th step you have computed 
b; = b® mod m. If n; = 1, ie., if 2 occurs in the binary expansion of n, 
then you include b, in the product for a (if 2/ is absent from n, then you do 
not). It is easy to see that after the (k — 1)—st step you'll have the desired 
a= 0b" mod m. 
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How many bit operations does this take? In each step you have either 
1 or 2 multiplications of numbers which are less than m? And there are 
k — 1 steps. Since each step takes O(log?(m?))= O(log?m) bit operations, 
we end up with the following estimate: 

Proposition 1.3.6. Time(b" mod m) = O((logn)(log?m)). 

Remark. If n is very large in Proposition I.3.6, you might want to 
use the corollary of Proposition 1.3.5, replacing n by its least nonnegative 
residue modulo y(m). But this requires that you know y(m). If you do know 
p(m), and if g.c.d.(b,m) = 1, so that you can replace n by its least nonneg- 
ative residue modulo y(m), then the estimate on the right in Proposition 
1.3.6 can be replaced by O(log?m). 

As a final application of the multiplicativity of the Euler y-function, 
we prove a formula that will be used at the beginning of Chapter II. 

Proposition 1.3.7. ) 74), 9(d) =n. 

Proof. Let f(n) denote the left side of the equality in the proposition, 
i.e., f(n) is the sum of (d) taken over all divisors d of n (including 1 and 
n). We must show that f(n) = n. We first claim that f(n) is multiplica- 
tive, ie., that f(mn) = f(m)f(n) whenever g.c.d.(m,n) = 1. To see this, 
we note that any divisor d|mn can be written (in one and only one way) 
in the form d, - dz, where d,|m, d2|n. Since g.c.d.(di,d2) = 1, we have 
y(d) = y(d:)y(d2), because of the multiplicativity of y. We get all possible 
divisors d of mn by taking all possible pairs d,, dz where d, is a divisor 
of m and dp is a divisor of n. Thus, f(mn) = Yiaijm Nudgin P(41)9(d2) = 


(Sa im p(d1)) ae p(dz)) = f(m)f(n), as claimed. Now to prove the 


proposition suppose that n = p?'---p?r is the prime factorization of n. 
By the multiplicativity of f, we find that f(n) is a product of terms of 
the form f(p~). So it suffices to prove the proposition for p% i.e., to prove 
that f(p*) = p% But the divisors of p* are p’ for 0 < j < a, and so 


f(p*) = Dj-0 9(P?) = 1+ L5_-1 (p? — p?*) = p% This proves the proposi- 
tion for p% and hence for all n. 


Exercises 


1. Describe all of the solutions of the following congruences: 


(a) 32 = 4 mod 7; (d) 272 = 25 mod 256; 
(b) 32 = 4 mod 12; (e) 272 = 72 mod 900; 
(c) 92 = 12 mod 21; (f) 1032 = 612 mod 676. 


2. What are the possibilities for the last hexadecimal digit of a perfect 
square? (See Exercise 7 of §1.1.) 

3. What are the possibilities for the last base-12 digit of a product of two 
consecutive positive odd numbers? 


10. 


11. 


12. 


13. 


14, 
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Prove that a decimal integer is divisible by 3 if and only if the sum of 
its digits is divisible by 3, and that it is divisible by 9 if and only if the 
sum of its digits is divisible by 9. 

Prove that n> — n is always divisible by 30. 

Suppose that in tiling a floor that is 8 ft x 9 ft, you bought 72 tiles at 
a price you cannot remember. Your receipt gives the total cost before 
taxes as some amount under $100, but the first and last digits are 
illegible. It reads $70.67. How much did the tiles cost? 

(a) Suppose that m is either a power p® of a prime p > 2 or else 
twice an odd prime power. Prove that, if <2 = 1 mod m, then either 
x =1 mod mor z = —-1 mod m. 

(b) Prove that part (a) is always false if m is not of the form p® or 2p% 
and m # 4. 

(c) Prove that if m is an odd number which is divisible by r different 
primes, then the congruence x? = 1 mod m has 2” different solutions 
between 0 and m. 

Prove “Wilson’s Theorem,” which states that for any prime p: (p—1)! = 
—1 mod p. Prove that (n —1)! is not congruent to —1 mod n if n is not 
prime. 

Find a 3-digit (decimal) number which leaves a remainder of 4 when 
divided by 7, 9, or 11. 

Find the smallest positive integer which leaves a remainder of 1 when 
divided by 11, a remainder of 2 when divided by 12, and a remainder 
of 3 when divided by 13. 

Find the smallest nonnegative solution of each of the following systems 
of congruences: 


(a) r=2mod3 (b) r=12 mod 31 (c) 19x = 103 mod 900 
z=3mod5 x = 87 mod 127 10z = 511 mod 841 
x=4mod 11 x = 91 mod 255 
x =5 mod 16 


Suppose that a 3-digit (decimal) positive integer which leaves a re- 
mainder of 7 when divided by 9 or 10 and 3 when divided by 11 goes 
evenly into a six-digit natural number which leaves a remainder of 8 
when divided by 9, 7 when divided by 10, and 1 when divided by 11. 
Find the quotient. 

In the situation of Proposition I.3.3, suppose that 0 < a; <_m; < B for 
all j, where B is some large bound on the size of the moduli. Suppose 
that r is also large. Find an estimate for the number of bit operations 
required to solve the system. Your time estimate should be a function 
of B and r, and should allow for the possibility that r is either very 
large or very small compared to the number of bits in B. 

Use the repeated squaring method to find 387° mod 103. 
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15. 


16. 


17. 
18. 


19. 


20. 


21. 


22. 


23. 
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In exact integer arithmetic (rather than modular arithmetic) does the 
repeated squaring method save time? Explain, using big-O estimates. 
Notice that for a prime to p, a?~? is an inverse of a modulo p. Suppose 
that p is very large. Compare using the repeated squaring method to 
find a?-? with the Euclidean algorithm as an efficient means to find 
a1 mod p when (a) a has almost as many digits as p, and (b) when a 
is much smaller than p. 

Find y(n) for all m from 90 to 100. 

Make a list showing all n for which y(n) < 12, and prove that your list 
is complete. 

Suppose that n is not a perfect square, and that n—1 > y(n) > n—n?/3 
Prove that n is a product of two distinct primes. 

If m > 8 is a power of 2, show that the exponent in Proposition 1.3.5 
can be replaced by y(m)/2. 

Let m = 7785562197230017200 = 24-33 -5?-7-11-13-19-31-37-41- 
61- 73-181. 

(a) Find the least nonnegative residue of 664756? mod m. 

(b) Let a be a positive integer less than m which is prime to m. 
First, find a positive power of a less than 500 which is certain to give 
a~! mod m. Next, describe an algorithm for finding this power of a 
working modulo m. How many multiplications and divisions are needed 
to carry out this algorithm? (Reducing a number modulo m counts as 
one division.) What is the maximum number of bits you could en- 
counter in the integers that you work with? Finally, give a good esti- 
mate of the number of bit operations needed to find a~! mod m by 
this method. (Your answer should be a specific number — do not use 
the big-O notation here.) 

Give another proof of Proposition 1.3.7 as follows. For each divisor d of 
n, let Sq denote the subset (actually a so-called “subgroup”) of Z/nZ 
consisting of all multiples of n/d. Thus, Sq has d elements. 

(a) Prove that Sq has y(d) different elements x which generate Sq, 
meaning that the multiples of x (considered modulo n) give all elements 
of Sa. 

(b) Prove that every element of x generates one of the Sg, and hence 
that the number of elements in Z/nZ is equal to the sum (taken over 
divisors d) of the number of elements that generate Sq. In light of part 
(a), this gives Proposition 1.3.7. 

(a) Using the Fundamental Theorem of Arithmetic, prove that 


a 


all primes p 


diverges to infinity. 
(b) Using part (a), prove that the sum of the reciprocals of the primes 
diverges. 
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(c) Find a sequence n; approaching oo for which Lim so Pd =1 


and a sequence n; for which lim so SS) =0. 

24. Let N be an extremely large secret integer used to unlock a missile sys- 

tem, i.e., knowing N would enable one to launch the missiles. Suppose 
you have a commanding general and n different lieutenant generals. 
In the event that the commanding general (who knows N) is incapac- 
itated, you want the lieutenant generals each to have enough partial 
information about N so that any three of them (but never two of them) 
can agree to launch the missiles. 
(a) Let p1,...,Dn be n different primes, all of which are greater than 
WN but much smaller than VN. Using the p;, describe the partial 
information about N that should be given to the lieutenant generals. 
(b) Generalize this system to the situation where you want any set 
of k (k > 2) of the lieutenant generals, working together, to be able 
to launch the missiles (but a set of k — 1 of them can never unlock 
the system). Such a set-up is called a k-threshold system for sharing a 
secret. 
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Proposition 1.4.1. For any integer b and any positive integer n, b” — 1 is 
divisible by b—1 with quotient b*-! + b"-2 4..--+b?+b+1. 

Proof. We have a polynomial identity coming from the following fact: 1 
is a root of x” — 1, and so the linear term z — 1 must divide x” — 1. Namely, 
polynomial division gives 2” — 1 = (x —1)(2"-! +a"? +..-+2? 4241). 
(Alternately, we can derive this by multiplying z by 2"~! + 2"-? +... 4 
z*+2+1, then subtracting 2*—! + 2"-? +. ---+a?42+41, and finally 
obtaining x” — 1 after all the canceling.) Now we get the proposition by 
replacing x by b. 

A second proof is to use arithmetic in the base b. Written to the base 
b, the number b" — 1 consists of n digits b — 1 (for example, 106 — 1 = 
999999). On the other hand, b"~! + b"-? +. --- + 6? +6+ 1 consists of 
n digits all 1. Multiplying 111---111 by the 1-digit number b — 1 gives 
(b— 1)(6-1)(6— 1)---(6-1)(6-1)(-1), =b" -1. 

Corollary. For any integer b and any positive integers m and n, we 
have b™™ — 1 = (b™ — 1)(b™™—D 4 prrl(n—2) +... 4b? 4 HM + 1), 

Proof. Simply replace b by b™ in the last proposition. 

As an example of the use of this corollary, we see that 2°° —1 is divisible 
by 25 —1 = 31 and by 2? —1 = 127. Namely, we set b = 2 and either 
m=5,n=7 or elsem=7, n=5. 

Proposition 1.4.2. Suppose that b is prime to m, anda and c are positive 
integers. If b* = 1 mod m and b° = 1 mod m, and if d = g.c.d.(a,c), then 
b¢ = 1 mod m. 
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Proof. Using the Euclidean algorithm, we can write d in the form 
ua + uc, where u and v are integers. It is easy to see that one of the two 
numbers wu, v is positive and the other is negative or zero. Without loss of 
generality, we may suppose that u > 0, v < 0. Now raise both sides of the 
congruence b* = 1 mod m to the u-th power, and raise both sides of the 
congruence b° = 1 mod m to the (—v)-th power. Now divide the resulting 
two congruences, obtaining: b**~°(-) = 1 mod m. But au+ cv = d, so the 
proposition is proved. 

Proposition 1.4.3. If p is a prime dividing b" —1, then either (i) p|b¢—1 
for some proper divisor d of n, or else (ii) p=1 mod n. Ifp > 2 and n is 
odd, then in case (ii) one has p= 1 mod 2n. 

Proof. We have b" = 1 mod p and also, by Fermat’s Little Theorem, 
we have b?-! = 1 mod p. By the above proposition, this means that b¢ = 
1 mod p, where d = g.c.d.(n, p — 1). First, if d < n, then this says that 
p|b¢ —1 for a proper divisor d of n, i-e., case (i) holds. On the other hand, 
if d = n, then, since d|p — 1, we have p = 1 mod n. Finally, if p and n are 
both odd and n| p — 1 (i.e., we’re in case (ii)), then obviously 2n| p — 1. 

We now show how this proposition can be used to factor certain types 
of large integers. 


Examples 


1. Factor 21! — 1 = 2047. If p| 2! — 1, by the theorem we must have 
p = 1 mod 22. Thus, we test p = 23, 67, 89,... (actually, we need go 
no farther than 2047 = 45.---). We immediately obtain the prime 
factorization of 2047: 2047 = 23 - 89. In a very similar way, one can 
quickly show that 213 — 1 = 8191 is prime. A prime of the form 2” — 1 
is called a “Mersenne prime.” 

2. Factor 3!2 — 1 = 531440. By the proposition above, we first try the 
factors of the much smaller numbers 3! — 1, 3?—1, 37-1, 34—1, and 
the factors of 3° — 1 = (3% — 1)(3? + 1) which do not already occur in 
33 — 1. This gives us 24-5-7- 13. Since 531440/(24-5- 7-13) = 73, 
which is prime, we are done. Note that, as expected, any prime that 
did not occur in 34 — 1 for d a proper divisor of 12 — namely, 73 — 
must be = 1 mod 12. 

3. Factor 235 — 1 = 34359738367. First we consider the factors of 24 — 1 
for d = 1, 5, 7. This gives the prime factors 31 and 127. Now (235 — 
1)/(31 - 127) = 8727391. According to the proposition, any remaining 
prime factor must be = 1 mod 70. So we check 71, 211, 281,..., looking 
for divisors of 8727391. At first, we might be afraid that we’ll have 
to check all such primes less than 8727391 = 2954. ---. However, we 
immediately find that 8727391 = 71 - 122921, and then it remains to 
check only up to 122921 = 350.---. We find that 122921 is prime. 
Thus, 28° — 1 = 31-71 - 127 - 122921 is the prime factorization. 
Remark. In Example 3, how can one do the arithmetic on a calculator 
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that only shows, say, 8 decimal places? Simply break up the numbers into 
sections. For example, when we compute 2°5 we reach the limit of our 
calculator display with 226 = 67108864. To multiply this by 29 = 512, 
we write 235 = 512 - (67108 - 1000 + 864) = 34359296 - 1000 + 442368 = 
34359738368. Later, when we divide 295—1 by 31-127 = 3937, we first divide 
3937 into 34359738, taking the integer part of the quotient: [ 34858788 | = 
8727. Next, we write 34359738 = 3937 - 8727 + 1539. Then 


34359738367 (3937 - 8727 + 1539) - 1000 + 367 


3937 3937 
1539367 
= 8727000 + 3937 

= 8727391. 


Exercises 


1. Give two different proofs that if n is odd, then 6 +1 = (b+ 1)(6"-! — 
b"-2 4....+4+6? —b+1). In one proof use a polynomial identity. In the 
other proof use arithmetic to the base b. 

2. Prove that if 2" — 1 is a prime, then n is a prime, and that if 2" +1 
is a prime, then n is a power of 2. The first type of prime is called a 
“Mersenne prime,” as mentioned above, and the second type is called 
a “Fermat prime.” The first few Mersenne primes are 3, 7, 31, 127; the 
first few Fermat primes are 3, 5, 17, 257. 

3. Suppose that b is prime to m, where m > 2, and a and c are positive 
integers. Prove that, if b* = —1 mod m and b° = +1 mod m, and if 
d= g.c.d.(a,c), then b¢ = —1 mod m, and a/d is odd. 

4. Prove that, if p|b” +1, then either (i) p|b¢+1 for some proper divisor 
d of n for which n/d is odd, or else (ii) p= 1 mod 2n. 

5. Let m= 274 +1 = 16777217. 

(a) Find a Fermat prime which divides m. 
(b) Prove that any other prime is = 1 mod 48. 
(c) Find the complete prime factorization of m. 
6. Factor 3!5 — 1 and 374 — 1. 
7. Factor 5!2 — 1. 


8. Factor 10°—1, 10°—1 and 10° —1. 

9. Factor 235 — 1 and 274 —1. 

10. Factor 215 — 1, 23° 1, and 26 — 1. 

11. (a) Prove that if d = g.c.d.(m,n) and a > 1 is an integer, then 


g.c.d.(a™ —1, a*—1) =a? —-1. 

(b) Suppose you want to multiply two k-bit integers a and b, where k 
is very large. Let £ be a fixed integer much smaller than k. Choose a set 
of m;,1<i<r, such that £ < m; < £ for all i and g.c.d.(m;,m;) =1 
for i 4 j. Choose r = [4k/ ef + 1. Suppose that a large integer such as 
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a is stored as an r-tuple (a1,...,a,), where a; is the least nonnegative 
residue of a mod 2™: — 1. Prove that a, b and ab are each uniquely 
determined by the corresponding r-tuple, and estimate the number of 
bit operations required to find the r-tuple corresponding to ab from 
the r-tuples corresponding to a and b. 
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Finite Fields and Quadratic 
Residues 


In this chapter we shall assume familiarity with the basic definitions and 
properties of a field. We now briefly recall what we need. 


1. 


A field is a set F with a multiplication and addition operation which 
satisfy the familiar rules — associativity and commutativity of both 
addition and multiplication, the distributive law, existence of an ad- 
ditive identity 0 and a multiplicative identity 1, additive inverses, and 
multiplicative inverses for everything except 0. The following examples 
of fields are basic in many areas of mathematics: (1) the field Q con- 
sisting of all rational numbers; (2) the field R of real numbers; (3) the 
field C of complex numbers; (4) the field Z/pZ of integers modulo a 
prime number p. 

A vector space can be defined over any field F by the same properties 
that are used to define a vector space over the real numbers. Any 
vector space has a basis, and the number of elements in a basis is 
called its dimension. An extension field, i.e., a bigger field containing 
F, is automatically a vector space over F. We call it a finite extension if 
it is a finite dimensional vector space. By the degree of a finite extension 
we mean its dimension as a vector space. One common way of obtaining 
extension fields is to adjoin an element to F: we say that K = F(a) if 
K is the field consisting of all rational expressions formed using a and 
elements of F. 

Similarly, the polynomial ring can be defined over any field F. It is de- 
noted F[X]; it consists of all finite sums of powers of X with coefficients 
in F. One adds and multiplies polynomials in F[X] in the same way as 
one does with polynomials over the reals. The degree d of a polynomial 
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is the largest power of X which occurs with nonzero coefficient; in a 
monic polynomial the coefficient of X4 is 1. We say that g divides f, 
where f, g € F[X], if there exists a polynomial h € F[X] such that 
f = gh. The irreducible polynomials f € F[X] are those that are not 
divisible by any polynomials of lower degree except for constants; they 
play the role among the polynomials that the primes play among the 
integers. The polynomial ring has unique factorization, meaning that 
every monic polynomial can be written in one and only one way (except 
for the order of factors) as a product of monic irreducible polynomials. 
(A non-monic polynomial can be uniquely written as a constant times 
such a product.) 

4. An element a in some extension field K containing F is said to be 
algebraic over F if it satisfies a polynomial with coefficients in F. In 
that case there is a unique monic irreducible polynomial in F[X] of 
which a is a root (and any other polynomial which a satisfies must be 
divisible by this monic irreducible polynomial). If this monic irreducible 
polynomial has degree d, then any element of F(a) (i.e., any rational 
expression involving powers of a and elements in F) can actually be 
expressed as a linear combination of the powers 1, a, a?,...,a?—! Thus, 
those powers of a form a basis of F(a) over F’, and so the degree of 
the extension obtained by adjoining a is the same as the degree of 
the monic irreducible polynomial of a. Any other root a’ of the same 
irreducible polynomial is called a conjugate of a over F. The fields 
F(a) and F(a’) are isomorphic by means of the map that takes any 
expression in terms of a to the same expression with a replaced by a’. 
The word “isomorphic” means that we have a 1-to-1 correspondence 
that preserves addition and multiplication. In some cases the fields 
F(q) and F(a’) are the same, in which case we obtain an automorphism 
of the field. For example, 2 has one conjugate, namely —/2, over Q, 
and the map a+b/2 4 a—byv?2 is an automorphism of the field Q(V2) 
(which consists of all real numbers of the form a + bV2 with a and b 
rational). If all of the conjugates of a@ are in the field F(a), then F(a) 
is called a Galois extension of F. 

5. The derivative of a polynomial is defined using the nX"~! rule (not as 
a limit, since limits don’t make sense in F unless there is a concept of 
distance or a topology in F). A polynomial f of degree d may or may 
not have a root r € F, i.e., a value which gives 0 when substituted in 
place of X in the polynomial. If it does, then the degree-1 polynomial 
X —r divides f; if (X —r)™ is the highest power of X —r which divides 
f, then we say that r is a root of multiplicity m. Because of unique 
factorization, the total number of roots of f in F, counting multiplicity, 
cannot exceed d. If a polynomial f € F[X] has a multiple root r, then 
r will be a root of the greatest common divisor of f and its derivative 
f'(see Exercise 13 of §1.2). 

6. Given any polynomial f(X) € F[X], there is an extension field K of 
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F such that f(X) splits into a product of linear factors (equivalently, 
has d roots in K, counting multiplicity, where d is its degree) and such 
that K is the smallest extension field containing those roots. K is called 
the splitting field of f. The splitting field is unique up to isomorphism, 
meaning that if we have any other field K’ with the same properties, 
then there must be a 1-to-1 correspondence K~K’ which preserves 
addition and multiplication. For example, Q(./2) is the splitting field 
of f(X) = X? — 2, and to obtain the splitting field of f(X) = X? —2 
one must adjoin to Q both ¥/2 and /—3. 

7. If adding the multiplicative identity 1 to itself in F never gives 0, then 
we say that F has characteristic zero; in that case F contains a copy 
of the field of rational numbers. Otherwise, there is a prime number 
p such that 1+1+---+1 (p times) equals 0, and p is called the 
characteristic of the field F. In that case F contains a copy of the field 
Z/pZ (see Corollary 1 of Proposition 1.3.1), which is called its prime 
field. 


1 Finite fields 


Let F, denote a field which has a finite number q of elements in it. Clearly 
a finite field cannot have characteristic zero; so let p be the characteristic of 
F,. Then F, contains the prime field F, = Z/pZ, and so is a vector space 
— necessarily finite dimensional — over F,. Let f denote its dimension as 
an F,—vector space. Since choosing a basis enables us to set up a 1-to-1 
correspondence between the elements of this f-dimensional vector space 
and the set of all f-tuples of elements in F,, it follows that there must be 
pf elements in F,. That is, q is a power of the characteristic p. 

We shall soon see that for every prime power q = p/ there is a field of 
q elements, and it is unique (up to isomorphism). 

But first we investigate the multiplicative order of elements in F9, the 
set. of nonzero elements of our finite field. By the “order” of a nonzero 
element we mean the least positive power which is 1. 

Existence of multiplicative generators of finite fields. There are g — 1 
nonzero elements, and, by the definition of a field, they form an abelian 
group with respect to multiplication. This means that the product of two 
nonzero elements is nonzero, the associative law and commutative law hold, 
there is an identity element 1, and any nonzero element has an inverse. It is 
a general fact about finite groups that the order of any element must divide 
the number of elements in the group. For the sake of completeness, we give 
a proof of this in the case of our group Fj. 

Proposition II.1.1. The order of any a € Fy divides q—1. 

First proof. Let d be the smallest power of a which equals 1. (Note 
that there is a finite power of a that is 1, since the powers of a in the finite 
set F* cannot all be distinct, and as soon as a’ = a! for j > i we have 
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aj-* = 1.) Let 9 = {1, a, a?,...,a?-1} denote the set of all powers of a, 
and for any b € F§ let bS denote the “coset” consisting of all elements of 
the form ba’ (for example, 19 = S). It is easy to see that any two cosets 
are either identical or distinct (namely: if some bya" in 6, S is also in 62S, 
ie., if it is of the form baa, then jany element bya in b,S is of the form to 
be in b2S, because bia* = ba’ igi’-i = boast —*). And each coset contains 
exactly d elements. Since the union of all the cosets exhausts F7, this means 
that F{ is a disjoint union of d-element sets; hence d|(q — 1). 

Second proof. First we show that a?~ 1 = 1. To see this, write the 
product of all nonzero elements in F,. There are g — 1 of them. If we 
multiply each of them by a, we get a coartangeiient of the same elements 
(since any two distinct elements remain distinct after multiplication by a). 
Thus, the product is not affected. But we have multiplied this product 
by a1. Hence a?—! = 1. (Compare with the proof of Proposition 1.3.2.) 
Now let d be the order of a, i.e., the smallest positive power which gives 
1. If d did not divide g — 1, we could find a smaller positive number r — 
namely, the remainder when g — 1 = bd +r is divided by d — such that 
a” = ai—!—4 — 1, But this contradicts the minimality of d. This concludes 
the proof. 

Definition. A generator g of a finite field F, is an element of order q—1; 
equivalently, the powers of g run through all of the elements of F5. 

The next proposition is one of the very basic facts about finite fields. 
It says that the nonzero elements of any finite field form a cyclic group, i.e., 
they are all powers of a single element. 

Proposition II.1.2. Every finite field has a generator. If g is a generator 
of Fj, then g? is also a generator if and only if g.c.d.(j, q—1) = 1. In 
particular, there are a total of p(q — 1) different generators of F. 

Proof. Suppose that a € Fj has order d, ie., a? = 1 and no lower 
power of a gives 1. By Proposition II.1.1, d divides q — 1. Since a® is the 
smallest power which equals 1, it follows that the elements a, a?,..., a4 = 1 
are distinct. We claim that the elements of order d are precisely the y(d) 
values a/ for which g.c.d.(j,d) = 1. First, since the d distinct powers of a all 
satisfy the equation x4 = 1, these are all of the roots of the equation (see 
paragraph 5 in the list of facts about fields). Any element of order d must 
thus be among the powers of a. However, not all powers of a have order 
d, since if g.c.d.(j,d) = d’ > 1, then a? has lower order: because d/d’ and 

j/d' are integers, we can write (ai)(4/ a’) — (a4)3/4’ — 1. Conversely, we now 
show that aJ does have order d whenever gc. d.(j,d) = 1. If j is prime to d, 
and if a? had a smaller order d” then a raised to either the 7—th or the 
d—th power would give 1, and hence a?’ raised to the power g.c.d. (j,d) =1 
would give 1 (this is proved in exactly the same way as Proposition 1.4.2). 
But this contradicts the fact that a is of order d and soa? +1. Thus, a? 
has order d if and only if g.c.d.(j,d) = 1. 

This means that, if there is any element a of order d, then there are 
exactly y(d) elements of order d. So for every d|(q — 1) there are only two 
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possibilities: no element has order d, or exactly y(d) elements have order d. 

Now every element has some order d|(qg—1). And there are either 0 or 
y(d) elements of order d. But, by Proposition 1.3.7, 7 yq—1 (4) =9-1, 
which is the number of elements in Fj. Thus, the only way that every 
element can have some order d|(q—1) is if there are always (d) (and never 
0) elements of order d. In particular, there are y(q — 1) elements of order 
q—1; and, as we saw in the previous paragraph, if g is any element of order 
q—1, then the other elements of order q—1 are precisely the powers g’ for 
which g.c.d.(j, g— 1) = 1. This completes the proof. 

Corollary. For every prime p, there exists an integer g such that the 
powers of g exhaust all nonzero residue classes modulo p. 

Example 1. We can get all residues mod 19 from 1 to 18 by taking 
powers of 2. Namely, the successive powers of 2 reduced mod 19 are: 2, 4, 
8, 16, 13, 7, 14, 9, 18, 17, 15, 11, 3, 6, 12, 5, 10, 1. 

In many situations when working with finite fields, such as F, for some 
prime p, it is useful to find a generator. What if a number g € F¥ is chosen 
at random? What is the probability that it will be a generator? In other 
words, what proportion of all of the nonzero elements consists of generators? 
According to Proposition II.1.2, the proportion is y(p — 1)/(p — 1). But 
by our formula for y(n) following the corollary of Proposition 1.3.3, this 
fraction is equal to the [](1 — $)s where the product is over all primes 
dividing p — 1. Thus, the odds of getting a generator by a random guess 
depend heavily on the factorization of p — 1. For example, we can prove: 

Proposition II.1.3. There exists a sequence of primes p such that the 
probability that a random g € F¥, is a generator approaches zero. 

Proof. Let {n;} be any sequence of positive integers which is divisible 
by more and more of the successive primes 2, 3, 5, 7,... a8 7 —> 00. 
For example, we could take n; = j!. Choose p; to be any prime such that 
pj = 1 mod n;. How do we know that such a prime exists? That follows from 
Dirichlet’s theorem on primes in an arithmetic progression, which states: If 
n and k are relatively prime, then there are infinitely many primes which are 
= k mod n. (In fact, more is true: the primes are “evenly distributed” among 
the different possible k mod n, i.e., the proportion of primes = k mod n is 
1/y(n); but we don’t need that fact here.) Then the primes dividing p; — 1 
include all of the primes dividing n;, and so ee) = Upaersaat = 5). 
But as j —> oo this product approaches |], mee a) which is zero 
(see Exercise 23 of §1.3). This proves the proposition. 


Existence and uniqueness of finite fields with prime power number of 
elements. We prove both existence and uniqueness by showing that a finite 
field of g = p/ elements is the splitting field of the polynomial X?— X. The 
following proposition shows that for every prime power q there is one and 
(up to isomorphism) only one finite field with q elements. 

Proposition 11.1.4. If F, is a field of gq = pf elements, then every 
element satisfies the equation X21 — X = 0, and F, is precisely the set 
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of roots of that equation. Conversely, for every prime power q = pf the 
splitting field over F, of the polynomial X4 — X is a field of q elements. 

Proof. First suppose that F, is a finite field. Since the order of any 
nonzero element divides q — 1, it follows that any nonzero element satisfies 
the equation X9~1 = 1, and hence, if we multiply both sides by X, the 
equation X7 = X. Of course, the element 0 also satisfies the latter equation. 
Thus, all q elements of F, are roots of the degree-g polynomial X? — X. 
Since this polynomial cannot have more than q roots, its roots are precisely 
the elements of F,. Notice that this means that F, is the splitting field of 
the polynomial X4 — X, that is, the smallest field extension of F, which 
contains all of its roots. 

Conversely, let ¢g = p/ be a prime power, and let F be the splitting 
field over F, of the polynomial X? — X. Note that X? — X has derivative 
qX%-1 — 1 = —1 (because the integer g is a multiple of p and so is zero 
in the field F,); hence, the polynomial X% — X has no common roots with 
its derivative (which has no roots at all), and therefore has no multiple 
roots. Thus, F must contain at least the q distinct roots of X? — X. But 
we claim that the set of q roots is already a field. The key point is that 
a sum or product of two roots is again a root. Namely, if a and 5 satisfy 
the polynomial, we have a? = a, b’ = b, and hence (ab)? = ab, i.e., the 
product is also a root. To see that the sum a+b also satisfies the polynomial 
X4— X = 0, we note a fundamental fact about any field of characteristic 
D: 

Lemma. (a + b)? = a? + bP in any field of characteristic p. 

The lemma is proved by observing that all of the intermediate terms 
vanish in the binomial expansion }>%_, (*)a?~7b’, because p!/(p — j)!¥! is 
divisible by p for 0 < j <p. 

Repeated application of the lemma gives us: a? + b? = (a+ b)?, a? + 
bP” = (aP + bP)P = (a+b)?”,..., a’ + b! = (a+ b)’. Thus, if a? = a and 
b? = bit follows that (a+b)? =a+b, and soa+bis also a root of X7—X. 
We conclude that the set of q roots is the smallest field containing the roots 
of X47 — X, i.e., the splitting field of this polynomial is a field of g elements. 
This completes the proof. 

In the proof we showed that raising to the p-th power preserves addition 
and multiplication. We derive another important consequence of this in the 
next proposition. 

Proposition II.1.5. Let F, be the finite field of q = pt elements, and let 
a be the map that sends every element to its p-th power: o(a) = a? Theno 
is an automorphism of the field F, (a 1-to-1 map of the field to itself which 
preserves addition and multiplication). The elements of Fg which are kept 
fixed by o are precisely the elements of the prime field Fp. The f-th power 
(and no lower power) of the map o is the identity map. 

Proof. A map that raises to a power always preserves multiplication. 
The fact that o preserves addition comes from the lemma in the proof of 
Proposition II.1.4. Notice that for any 7 the j-th power of o (the result of 
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repeating o j times) is the map a+ a”. Thus, the elements left fixed by 
o are the roots of X” — X. If j = 1, these are precisely the p elements of 
the prime field (this is the special case g = p of Proposition II.1.4, namely, 
Fermat’s Little Theorem). The elements left fixed by of are the roots of 
X4% — X, i.e., all of Fg. Since the f-th power of o is the identity map, 7 


must be 1-to-1 (its inverse map is of-!: at ap’ ). No lower power of o 
gives the identity map, since for j < f not all of the elements of F, could 
be roots of the polynomial X” — X. This completes the proof. 
Proposition 11.1.6. In the notation of Proposition II.1.5, if a is any 
element of F,, then the conjugates of a over F, (the elements of Fg which 
satisfy the same monic irreducible polynomial with coefficients in F,) are 


the elements 05(a) = a?. 
Proof. Let d be the degree of F,(a) as an extension of F,. That is, 
F,(a) is a copy of F,4. Then a satisfies XP* — X but does not satisfy 


XP’ — X for any j < d. Thus, one obtains d distinct elements by repeatedly 
applying o to a. It now suffices to show that each of these elements satisfies 
the same monic irreducible polynomial f(X) that a does, in which case they 
must be the d roots. To do this, it is enough to prove that, if a satisfies 
a polynomial f(X) € F,[X], then so does a? Let f(X) = )>a;X!, where 
a; € F,. Then 0 = f(a) = )\a;a! Raising both sides to the p-th power 
gives 0 = )\(a;a’)? (where we use the fact that raising a sum a + b to the 
p-th power gives a? + bP). But at = a;, by Fermat’s Little Theorem, and 
so we have: 0 = )-a;(a?)’ = f(a?), as desired. This completes the proof. 

Explicit construction. So far our discussion of finite fields has been 
rather theoretical. Our only practical experience has been with the finite 
fields of the form F, = Z/pZ. We now discuss how to work with finite 
extensions of F,. At this point we should recall how in the case of the 
rational numbers Q we work with an extension such as Q(/2). Namely, 
we get this field by taking a root a of the equation X* — 2 and looking at 
expressions of the form a+ ba, which are added and multiplied in the usual 
way, except that a? should always be replaced by 2. (In the case of Q( 7/2) 
we work with expressions of the form a + ba + ca*, and when we multiply 
we always replace a* by 2.) We can take the same general approach with 
finite fields. 

Example 2. To construct F9 we take any monic quadratic polynomial in 
F3[X] which has no roots in F3. By trying all possible choices of coefficients 
and testing whether the elements 0,+1 € F3 are roots, we find that there 
are three monic irreducible quadratics: X? +1, X?+ X —1. If, for example, 
we take a to be a root of X? + 1 (let’s call it i rather than a — after all, 
we are simply adjoining a square root of —1), then the elements of Fg are 
all combinations a + bi, where a and 6 are 0, 1, or —1. Doing arithmetic in 
F4 is thus a lot like doing arithmetic in the Gaussian integers (see Exercise 
14 of §1.2), except that our arithmetic with the coefficients a and b occurs 
in the tiny field F3. 


38 II. Finite Fields and Quadratic Residues 


Notice that the element i that we adjoined is not a generator of F3, 
since it has order 4 rather than g—1 = 8. If, however, we adjoin a root a of 
X?— X —1, we can get all nonzero elements of Fg by taking the successive 
powers of a (remember that a? must always be replaced by a + 1, since 
a satisfies X? = X + 1): a! = a, a? = a4+1, a? = -a4+1, a4 = -1, 
a} = —a, a® = —a—- 1, a” = a—1, a® = 1. We sometimes say that 
the polynomial X2 — X — 1 is primitive, meaning that any root of the 
irreducible polynomial is a generator of the group of nonzero elements of 
the field. There are 4 = (8) generators of Fj, by Proposition II.1.2: two 
are the roots of X*— X —1 and two are the roots of X?+ X —1. (The second 
root of X2 — X — 1 is the conjugate of a, namely, o(a@) = a? = —a +1.) Of 
the remaining four nonzero elements, two are the roots of X? + 1 (namely 
+i = +(a + 1)) and the other two are the two nonzero elements +1 of Fs 
(which are roots of the degree-1 monic irreducible polynomials X — 1 and 
X +1). 

In general, in any finite field F,, q = p/, each element a satisfies a 
unique monic irreducible polynomial over F, of some degree d. Then the 
field F,(a) obtained by adjoining this element to the prime field is an 
extension of degree d that is contained in F,. That is, it is a copy of the 
field F,«. Since the big field F,, contains F<, and so is an F,«—vector 
space of some dimension f; it follows that the number of elements in Fs 
must be (p*)/’, ie., f = df! Thus, d|f. Conversely, for any d|f the finite 
field F,a is contained in F,, because any solution of XP* = X is also a 
solution of X?’ = X. (To see this, note that for any d’, if you repeatedly 
replace X by X P* on the left in the equation X Po X , you can obtain 
xe = 1.) Thus, we have proved: 

Proposition II.1.7. The subfields of Fs are the F,a for d dividing f. 
If an element of F,s is adjoined to Fy, one obtains one of these fields. 

It is now easy to prove a formula that is useful in determining the 
number of irreducible polynomials of a given degree. 

Proposition I1.1.8. For any q = p’ the polynomial X4 — X factors in 
F,[X] into the product of all monic irreducible polynomials of degrees d 
dividing f. 

Proof. If we adjoin to F, a root a@ of any monic irreducible polyno- 
mial of degree d|f, we obtain a copy of F,a, which is contained in F,;. 
Since a then satisfies X7 — X = 0, the monic irreducible must divide that 
polynomial. Conversely, let f(X) be a monic irreducible polynomial which 
divides X4 — X. Then f(X) must have its roots in F, (since that’s where 
all of the roots of X7— X are). Thus f(X) must have degree dividing f, by 
Proposition I1.1.7, since adjoining a root gives a subfield of F,. Thus, the 
monic irreducible polynomials which divide X? — X are precisely all of the 
ones of degree dividing f. Since we saw that X? — X has no multiple fac- 
tors, this means that X% — X is equal to the product of all such irreducible 
polynomials, as was to be proved. 
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Corollary. If f is a prime number, then there are (pf — p)/f distinct 
monic irreducible polynomials of degree f in F,[X]. 

Notice that (pf —p)/f is an integer because of Fermat’s Little Theorem 
for the prime f, which guarantees that p’ = p mod f. To prove the corollary, 
let n be the number of monic irreducible polynomials of degree f. According 
to the proposition, the degree-p/ polynomial X. Pp _ X is the product of n 
polynomials of degree f and the p degree-1 irreducible polynomials X — a 
for a € F,. Thus, equating degrees gives: pf = nf +p, from which the 
desired equality follows. 

More generally, suppose that f is not necessarily prime. Then, letting 
nq denote the number of monic irreducible polynomials of degree d over 
F,, we have ns = (p/ — )> dna)/f, where the summation is over all d < f 
which divide f. 

We now extend the time estimates in Chapter I for arithmetic modulo 
p to general finite fields. 

Proposition 11.1.9. Let F,, where q = pf, be a finite field, and let 
F(X) be an irreducible polynomial of degree f over Fp. Then two elements 
of F, can be multiplied or divided in O(log?q) bit operations. If k is a 
positive integer, then an element of F, can be raised to the k-th power in 
O(log klog?q) bit operations. 

Proof. An element of F, is a polynomial with coefficients in F, = Z/pZ 
regarded modulo F(X). To multiply two such elements, we multiply the 
polynomials — this requires O( f?) multiplications of integers modulo p (and 
some additions of integers modulo p, which take much less time) — and 
then divide the polynomial F(X) into the product, taking the remainder 
polynomial as our answer. The polynomial division involves O(f) divisions 
of integers modulo p and O(f?) multiplications of integers modulo p. Since 
a multiplication modulo p takes O(log?p) bit operations, and a division 
(using the Euclidean algorithm, for example) takes O(log*p) bit operations 
(see the corollary to Proposition I.2.2), the total number of bit operations is: 
O(f?log?p + f log*p) = O((f log p)?) = O(log*q). To prove the same result 
for division, it suffices to show that the reciprocal of an element can be found 
in time O(log*q). Using the Euclidean algorithm for polynomials over the 
field F, (see Exercise 12 of §1.2), we must write 1 as a linear combination of 
our given element in F, (i.e., a given polynomial of degree < f) and the fixed 
degree-f polynomial F(X). This involves O(f) divisions of polynomials of 
degree < f, and each polynomial division requires O( f?log”p + f log3p) = 
O(flog*p) bit operations. Thus, the total time required is O(f%log*p) = 
O(log*q). Finally, a k-th power can be computed by the repeated squaring 
method in the same way as modular exponentiation (see the end of §1.3). 
This takes O(logk) multiplications (or squarings) of elements of F,, and 
hence O(log k log*q) bit operations. This completes the proof. 

We conclude this section with an example of computation with poly- 
nomials over finite fields. We illustrate by an example over the very small- 
est (and perhaps the most important) finite field, the 2-element field 


40 II. Finite Fields and Quadratic Residues 


F, = {0, 1}. A polynomial in F2[X] is simply a sum of powers of X. 
In some ways, polynomials over F, are like integers expanded to the base 
p, where the digits are analogous to the coefficients of the polynomial. For 
example, in its binary expansion an integer is written as a sum of powers of 
2 (with coefficients 0 or 1), just as a polynomial over F>2 is a sum of powers 
of X. But the comparison is often misleading. For example, the sum of any 
number of polynomials of degree d is a polynomial of degree (at most) d; 
whereas a sum of several d-bit integers will be an integer having more than 
d binary digits. 

Example 3. Let f(X) = X4+ X34 X?4+1, g = X3+1 € F,[X]. Find 
g.c.d.(f,g) using the Euclidean algorithm for polynomials, and express the 
g.c.d. in the form u(X)f(X) + v(X)g(X). 

Solution. Polynomial division gives us the sequence of equalities below, 
which lead to the conclusion that g.c.d.(f,g) = X+1, and the next sequence 
of equalities enables us, working backwards, to express X + 1 as a linear 
combination of f and g. (Note, by the way, that in a field of characteristic 
2 adding is the same as subtracting, ie..a—-b=a+b-—2b=a+b.) We 
have: 

f =(X4+1)g+ (X?+X) 
g =(X +1)(X?74+-.X)4+ (X41) 
X?4+X = X(X +1) 


and then 
X+1=g94+(X4+1)(X?+X) 
=g9+(X+1)(f +(X+1)g) 
= (X+1)f + (X?)g. 
Exercises 


1. For p = 2, 3,5, 7, 11,13 and 17, find the smallest positive inte- 
ger which generates F5, and determine how many of the integers 
1, 2, 3,...,p— 1 are generators. 

2. Let (Z/p*Z)* denote all residues modulo p* which are invertible, i.e., 
are not divisible by p. Warning: Be sure not to confuse Z/p%Z (which 
has p* — p*~} invertible elements) with F,« (in which all elements 
except 0 are invertible). The two are the same only when a = 1. 

(a) Let g be an integer which generates F5, where p > 2. Let a be 
any integer greater than 1. Prove that either g or (p+ 1)g generates 
(Z/p%Z)* Thus, the latter is also a cyclic group. 

(b) Prove that if a > 2, then (Z/2%Z)* is not cyclic, but that the 
number 5 generates a subgroup consisting of half of its elements, namely 
those which are = 1 mod 4. 

3. How many elements are in the smallest field extension of F5 which 
contains all of the roots of the polynomials X?+ X +1 and X°+X+1? 


10. 


11. 


12. 


13. 
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For each degree d < 6, find the number of irreducible polynomials over 
F. of degree d, and make a list of them. 

For each degree d < 6, find the number of monic irreducible polyno- 
mials over F3 of degree d, and for d < 3 make a list of them. 

Suppose that f is a power of a prime @. Find a simple formula for the 
number of monic irreducible polynomials of degree f over Fp. 

Use the polynomial version of the Euclidean algorithm (see Exercise 
12 of §1.2) to find g.c.d.(f, g) for f, g € Fp[X] in each of the following 
examples. In each case express the g.c.d. polynomial as a combination 
of f and g, ie., in the form d(X) = u(X)f(X) + v(X)g(X). 

(a) f= X34 X41, g=X27+X41, p=2; 

(b) f = X84 X54 X44 X34 X74 X41, 9=X*4+ X74X41, 
p=2; 

(c) f =X? -X4+1,9=X*4+1, p=3; 

(d) f= X54 X44 X3—- X?2?-X41,g=X3+ X24 X41, p=3; 
(e) f = X5+8824+73X3+483X2+51X +67, g = X3+97X7+4+40X +38, 
p= 101. 

By computing g.c.d.(f, f’) (see Exercise 13 of §1.2), find all multiple 
roots of f(X) = X74+ X54 X4— X3— X2-X +1 € F3[X] in its 
splitting field. 

Suppose that a € F,: satisfies the polynomial X? + aX + b, where 
a,b€ Fp. 

(a) Prove that a? also satisfies this polynomial. 

(b) Prove that if a ¢ F,, then a = —a — a? and b= a?) 

(c) Prove that if a ¢ F, and c,d € Fp, then (ca+d)?*! = d*—acd+bc? 
(which is € F,). 

(d) Let i be a square root of —1 in Fj92. Use part (c) to find (2+3i)! 
(ie., write it in the form a + bi, a,b € Fig). 

Let d be the maximum degree of two polynomials f, g € F,[X]. Give 
an estimate in terms of d and p for the number of bit operations needed 
to compute g.c.d.(f,g) using the Euclidean algorithm. 

For each of the following fields F,, where q = p/ find an irreducible 
polynomial with coefficients in the prime field whose root a is primitive 
(ie., generates F7), and write all of the powers of a as polynomials in 
a of degree < f: (a) Fa; (b) Fs; (c) Faz; (d) Fas. 

Let F(X) € F2[X] be a primitive irreducible polynomial of degree f. If 
a denotes a root of F(X), this means that the powers of a exhaust all 
of F3,. Using the big-O notation, estimate (in terms of f) the number 
of bit operations required to write every power of a as a polynomial in 
a of degree less than f. 

(a) Under what conditions on p and f is every element of Fs besides 
0, 1 a generator of FY ,? 

(b) Under what conditions is every element # 0, 1 either a generator 
or the square of a generator? 
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14. For any fixed p, show that there is a sequence g; = p/i of powers of p 
such that the probability that a random element of F,, is a generator 
of Fi approaches 0 as j7 — oo. 

15. Which polynomials in F,[X] have derivative identically zero? 

16. Let o be the automorphism of F, in Proposition II.1.5. Prove that the 
set of elements left fixed by o? is the field F,«, where d = g.c.d.(j, f). 


17. Prove that if b is a generator of F*, and if din, then b"—1)/ (P*-1) ig 
a generator of Fra: 


2 Quadratic residues and reciprocity 


Roots of unity. In many situations it is useful to have solutions of the 
equation x” = 1. Suppose we are working in a finite field F,. We now 
answer the question: How many n-th roots of unity are there in F,? 

Proposition I1.2.1. Let g be a generator of Fj. Then g is an n-th root 
of unity if and only if nj =0 mod q—1. The number of n-th roots of unity 
is g.c.d.(n, g—1). In particular, F, has a primitive n-th root of unity (i.e., 
an element £ such that the powers of € run through n n-th roots of unity) 
if and only if n| q—1. If € is a primitive n-th root of unity in Fy, then & 
is also a primitive n-th root if and only if g.c.d.(j, n) = 1. 

Proof. Any element of F} can be written as a power g’ of the generator 
g. A power of g is 1 if and only if the power is divisible by q — 1. Thus, 
an element g’ is an n-th root of unity if and only if nj = 0 mod q- 1. 
Next, let d = g.c.d.(n, q—1). According to Corollary 2 of Proposition 1.3.1, 
the equation nj = 0 mod q — 1 (with j the unknown) is equivalent to 
the equation 47 = 0 mod . Since n/d is prime to (gq — 1)/d, the latter 
congruence is equivalent to requiring j to be a multiple of (q — 1)/d. In 
other words, the d distinct powers of g9—1)/4 are precisely the n-th roots 
of unity. There are n such roots if and only if d = n, i.e., n| q — 1. Finally, 
if n does divide q — 1, let € = g(¢-))/" Then €& equals 1 if and only if n|j. 
The k-th power of € equals 1 if and only if kj = 0 mod n. It is easy to see 
that € has order n (i.e., this equation does not hold for any positive k < n) 
if and only if j is prime to n. Thus, there are y(n) different primitive n-th 
roots of unity if n| q — 1. This completes the proof. 

Corollary 1. If g.c.d.(n, q—1) = 1, then 1 is the only n-th root of unity. 

Corollary 2. The element —1 € Fy has a square root in F, if and only 
if q=1 mod 4. 

The first corollary is a special case of the proposition. To prove Corol- 
lary 2, note that a square root of —1 is the same thing as a primitive 4th 
root of 1, and our field has a primitive 4th root if and only if 4| q — 1. 

Corollary 2 says that if g = 3 mod 4, we can always get the quadratic 
extension F,2 by adjoining a root of X 241, ie., by considering “Gaussian 
integer” type expressions a + bi. We did this for g = 3 in the last section. 
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Let us suppose, for example, that p is a prime which is = 3 mod 4. 
There is a nice way to think of the field F,2 which generalizes to other 
situations. Let R denote the Gaussian integer ring (see Exercise 14 of §1.2). 
Sometimes we write R = Z+Zi, meaning the set of all integer combinations 
of 1 and i. If m is any Gaussian integer, and a = a+ bi and B@=c+di 
are two Gaussian integers, we write a = 3 mod m if a — f is divisible by 
m, i.e., if the quotient is a Gaussian integer. We can then look at the set 
R/mR of residue classes modulo m; just as in the case of ordinary integers, 
residue classes can be added or multiplied, and the residue class of the result 
does not depend on which representatives were chosen for the residue class 
factors. Now if m = p+ 0i is a prime number which is = 3 mod 4, it is not 
hard to show that R/pR is the field F,2. 

Quadratic residues. Suppose that p is an odd prime, i.e., p > 2. We are 
interested in knowing which of the nonzero elements {1, 2,...,p—1} of Fp 
are squares. If some a € Ff is a square, say b? = a, thena has precisely 30) 
square roots +b (since the equation X? — a = 0 has at most two solutions 
in a field). Thus, the squares in F5 can all be found by computing b? mod p 
for b = 1, 2, 3,...,(p — 1)/2 (nce the remaining integers up to p — 1 
are al] = 5 for one of these b), and precisely half of the elements in FF 
are squares. For example, the squares in Fj; are 1? = 1, 2? = 4, 3? = 9, 
4? = 5, and 5* = 3. The squares in F,, are called hicsinatie residues modulo 
p. The remaining nonzero elements are called nonresidues. For p = 11 the 
nonresidues are 2, 6, 7, 8, 10. There are (p — 1)/2 residues and (p — 1)/2 
nonresidues. 

If g is a generator of F,, then any element can be written in the form g/ 
Thus, the square of any element is of the form g’ with 7 even. Conversely, 
any element of the form g’ with j even is the square of some element, 
namely +9//2, 

The Legendre symbol. Let a be an integer and p > 2 a prime. We 
define the Legendre symbol ($) to equal 0, 1 or —1, as follows: 


0, if pia; 
(=) =¢1,  ifais a quadratic residue mod p; 
if a is a nonresidue mod p. 


Thus, the Legendre symbol is simply a way of identifying whether or not 
an integer is a quadratic residue modulo p. 
Proposition IT.2.2. 


(5) = a'?-))/2 mod p. 


Proof. If a is divisible by p, then both sides are = 0 mod p. Suppose 
p ja. By Fermat’s Little Theorem, in F, the square of a‘?—1)/? is 1, so 
a(?-1)/2 itself is +1. Let g be a generator ‘of F*, and let a = g! As we saw, 
a is a residue if and only if 7 is even. And a(P—1)/ 2 — gi(P-1)/2 is 1 if and 
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only if j(p — 1)/2 is divisible by p — 1, i-e., if and only if j is even. Thus, 
both sides of the congruence in the proposition are +1 in F,, and each side 
is +1 if and only if 7 is even. This completes the proof. 

Proposition II.2.3. The Legendre symbol satisfies the following proper- 
ties: 

(a) (§) depends only on the residue of a modulo p; 
(b) (2) = (2)(3); 

(c) for b prime to p, (%) = (4); 

(d) (3) =1 and (}) = (-1)@-V?. 

Proof. Part (a) is obvious from the definition. Part (b) follows from 
Proposition II.2.2, because the right side is congruent modulo p to a?-1)/2. 
b(P-1)/2 — (qb)P-1)/2 as is the left side. Part (c) follows immediately from 
part (b). The first equality in part (d) is obvious, because 1? = 1, and the 
second equality comes from Corollary 2 of Proposition II.2.1 (or by taking 
a = —1 in Proposition II.2.2). This completes the proof. 

Part (b) of Proposition II.2.3 shows that one can determine if a number 
a is a quadratic residue modulo p, i.e., one can evaluate (2), if one factors 
a and knows the Legendre symbol for the factors. The first step in doing 
this is to write a as a power of 2 times an odd number. We then want to 
know how to evaluate (2). 

Proposition IT.2.4. 

(2) = (1-0/8 = { 1 ifp=+1 mod 8; 
D —1 ifp=+3 mod 8. 

Proof. Let f(n) = (-1)"’-1)/8 for n odd, f(n) = 0 for n even. We 
want to show that (2) = f(p). Of the various ways of proving this, we 
shall use an efficient method based on what we already know about finite 
fields. Since p? = 1 mod 8 for any odd prime p, we know that the field F,2 
contains a primitive 8-th root of unity. Let € € F,2 denote a primitive 8-th 
root of 1. Note that 4 = —1. Define G = er f(j)é. (G is an example 
of what is called a Gauss sum.) Then G = € — €? — €5 + €7 = 2(€ — 3) 
(because £5 = €4€ = —€ and ¢” = —€3), and G? = 4(€? — 2¢4 + £6) = 8. 
Thus, in F,2 we have 


GP = (G2)®-D/2g = gP-D/2g = (2\e i (=)c, 
Pp 


by Proposition IJ.2.2 and Proposition II.2.3(c). On the other hand, using 
the definition of G, the fact that (a + b)? = a? + bP in F,2, and the obvious 
observation that f(j)? = f(j), we compute: G? = Re f(j)€??. Notice 
that f(j) = f(p)f(pj), as we easily check. Then, making the change of 
variables j’ = pj (i.e., modulo 8 we have j’ running through 0,...,7 when 
j does), we obtain: 
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7 7 
GP =S~ F(p)F(pa)é?? = F(p) D> FG)" = FG. 


j=0 j'=0 


Comparing the two equalities for G? gives the desired result. (Notice that 
we can divide by G, since it is not 0 in F,2, as is clear from the fact that 
its square is 8.) 

Next, we must deal with the odd prime factors of a. Let g stand for 
such an odd prime factor. Warning: for the remainder of this section, q will 
stand for an odd prime distinct from p, not for a power of p as in the last 
section. 

Since a can be assumed to be smaller than p (by part (a) of Proposition 
II.2.3), the prime factors q will be smaller than p. The next proposition — 
the fundamental Law of Quadratic Reciprocity — tells us how to relate 
(2) to (#). The latter Legendre symbol will be easier to evaluate, since we 
can immediately replace p by its least positive residue modulo q, thereby 
reducing ourselves to a Legendre symbol involving smaller numbers. The 
quadratic reciprocity law states that (2) and (2) are the same unless p and 
q are both = 3 mod 4, in which case they are the negatives of one another. 
This can be expressed as a formula using the fact that (p — 1)(q — 1)/4 is 
even unless both primes are = 3 mod 4, in which case it is odd. 

Proposition II.2.5 (Law of Quadratic Reciprocity). Let p and q be two 
odd primes. Then 


2 = CVn) - 


-(2) if p= q =3 mod 4; 
(2) otherwise. 


Proof. There are several dozen proofs of quadratic reciprocity in print. 
We shall give a particularly short proof along the lines of the proof of 
the last proposition, using finite fields. Let f be any power of p such that 
pt =1 mod q. For example, we can always take f = q—1. Then, as we saw 
at the beginning of the section (Proposition II.2.1), the field F,s contains 
a primitive q-th root of unity, which we denote £. (Remember that q here 
denotes another prime besides p; it does not denote p/.) We define the 
“Gauss sum” G by the formula G = ro (2)E In the next paragraph we 


shall prove that G? = (—1)(9-)/2q. Before proving that lemma, we show 
how to use it to prove our proposition. The proof is very similar to the 
proof of Proposition II.2.4. We first obtain (using the lemma to be proved 
below): 


G? = (G?)®-V2g = ((-1)-"4) ie 


= (-1)-DQ-Y/AgP-D/2G — (-1 Dea (Z)G, 
p 


by Proposition II.2.2 with a replaced by gq (recall that we’re working in a 
field of characteristic p, namely F,;, and so congruence modulo p becomes 
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equality). On the other hand, using the definition of G, the fact that (a + 
b)P = a? + bP in Fyy, and the obvious observation that (2)? = (2), we 


compute: 
-1 ; 
o Ser E(B 


by parts (b) and (c) of Proposition II.2.3. Pulling (£) outside the summation 
and making the change of variables j’ = pj in the summation, we finally 
obtain: G? = (F)G. Equating our two expressions for G? and dividing by G 
(which is posible since G? = +q and so is not zero in F,s), we obtain the 
quadratic reciprocity law. Thus, it remains to prove the following lemma. 

Lemma. G? = (—1)(9-))/2q, 

Proof. Using the definition of G, where in one copy of G we replace the 
variable of summation j by —k (and note that the summation can start at 
1 rather than 0, since (9) = 0), we have: 


o vt e(Ber= (HEE 


1)e-v/2 rye = ea k), 


j=l k=1 


where we have used Part (d) of Proposition II.2.3 to replace (=) by 
(—1)(¢-)/2 and for each value of j we have made a change of variable 
in the inner summation k «— kj (i.e., for each fixed j, kj runs through the 
residues modulo q as k does, and the summands depend only on the residue 
modulo q). We next use part (c) of Proposition II.2.3, interchange the order 
of summation, and pull the (£) outside the inner sum over j. The double 
sum then becomes v.(£ PEF, €30-k) Here both sums go from 1 to q— 1, 
but if we want we can insert ‘the terms with 7 = 0, since that simply adds 
to the double sum }°,( ‘), which is zero (because there are equally many 
residues and nonresidues modulo q). Thus, the double sum can be written 

#-4(4) eG €32-k) But for each k other than 1, the inner sum vanishes. 
This is because the sum of the distinct powers of a nontrivial (4 1) root of 
unity ¢' is zero (the simplest way to see this is to note that multiplying the 
sum by €¢’ just rearranges it, and so the sum multiplied by ¢’ — 1 is zero). 
So we are left with the contribution when k = 1, and we finally obtain: 


q-1 
G? = (-1y-DA(-) Se! = (-1)9-)/2q, 
j=0 


This completes the proof of the lemma, and hence also the proof of the Law 
of Quadratic Reciprocity. 
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Example 1. Determine whether 7411 is a residue modulo the prime 
9283. 

Solution. Since 7411 and 9283 are both primes which are = 3 mod 4, 
we have ( 063) = = — (2383) = —(2872) by part (a) of Proposition II.2.3. Since 
1872 = gt. 3* - 13, by part (c) of Proposition II.2.3 we find that the desired 
Legendre symbol is — (7435): But we can now apply quadratic reciprocity 
again: since 13 = 1 mod 4 we find that —(743;) = —(44+) = -(4) =-1. 
In other words, 7411 is a quadratic nonresidue. 

One difficulty with this method of evaluating Legendre symbols is that 
at each stage we must factor the number on top in order to apply Proposi- 
tion II.2.5. If our numbers are astronomically large, this will be very time- 
consuming. Fortunately, it is possible to avoid any need for factoring (except 
taking out powers of 2, which is very easy), once we prove a generalization 
of the quadratic reciprocity law that applies to all positive odd integers, 
not necessarily prime. But we first need a definition which generalizes the 
definition of the Legendre symbol. 

The Jacobi symbol. Let a be an integer, and let n be any positive odd 
number. Let n = p{' --- p%r be the prime factorization of n. Then we define 
the Jacobi symbol (2) as the product of the Legendre symbols for the prime 


factors of n: A anes ss doi 
aig =) 


A word of warning is in order here. If (¢) = 1 for n composite, it is not 
necessarily true that a is a square modulo n. For example, (2 5) = (2 )(2 i 
(—1)(—1) = 1, but there is no integer x such that 2? = 2 mod 15. 

We now generalize Propositions II.2.4-5 to the Jacobi symbol. 

Proposition II.2.6. For any positive odd n we have (2) = (-1)"-D/8 

Proof. Let f(n) denote the function on the right side of the equal- 
ity, as in the proof of Proposition II.2.4. It is easy to see that f(nin2) = 
f (ni) f (nz) for any two odd numbers n; and ng. (Just consider the different 
possibilities for n; and nz modulo 8.) This means that the right side of the 
equality in the proposition equals f(p;)*! --- f(p,)*" = (oa vee (a) by 
Proposition II.2.4. But this is (2), by definition. 

Proposition II.2.7. For any two positive odd integers m and n we have 
(2)= = (- 1)(m- 1)(n- 1)/4( 2. 2), 

Proof. First note that if m and n have a common factor, then it follows 
from the definition of the Legendre and Jacobi symbols that both sides are 
zero. So we can suppose that g.c.d.(m,n) = 1. Next, we write m and n 
as products of primes: m = pip2---p, and n = qigo---qs- (The p’s and 
q’s include repetitions if m or n has a square factor.) In converting from 
(*)=Th, (Bt) to(2)= Tl, (®) we must apply the quadratic reciprocity 
law for the Legendre symbol rs times. The number of (—1)’s we get is 
the number of times both p; and q; are = 3 mod 4, i.e., it is the product 
of the number of primes = 3 mod 4 in the factorization of m and in the 
factorization of n. Thus, (7) = (7) unless there are an odd number of 
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primes = 3 mod 4 in both factorizations, in which case (@) = —(%). But 
a product of odd primes, such as m or n, is = 3 mod 4 if and only if it 
contains an odd number of primes which are = 3 mod 4. We conclude that 
(@) = (2) unless both m and n are = 3 mod 4, as was to be proved. This 
gives us the reciprocity law for the Jacobi symbol. 

Example 2. We return to Example 1, and show how to evaluate the 
Legendre symbol without factoring 1872, except to take out the power of 
2. By the reciprocity law for the Jacobi symbol we have 


(Se - 16 W17\ (Ally _ 40 
aD ~ Calon: is ( 7) ~ (sz): 
and this is equal to —(;25)(;85) = (735) = (#4) = (2?) =-1. 

Square roots modulo p. Using quadratic reciprocity, one can quickly 
determine whether or not an integer a is a quadratic residue modulo p. 
However, if it is a residue, that does not tell us how to find a solution to 
the congruence 2” = a mod p — it tells us only that a solution exists. We 
conclude this section by giving an algorithm for finding a square root of a 
residue a once we know any nonresidue n. 

Let p be an odd prime, and suppose that we somehow know a quadratic 
nonresidue n. Let a be an integer such that (5) = 1. We want to find an 


integer x such that x? = a mod p. Here is how we proceed. First write p—1 
in the form 2% - s, where s is odd. Then compute n* modulo p, and call 
that b. Next compute a*+1)/2 modulo p, and call that r. Our first claim is 
that r comes reasonably close to being a square root of a. More precisely, 
if we take the ratio of r? to a, we claim that we get a 2°—1-th root of unity 
modulo p. Namely, we compute (for brevity, we shall use equality to mean 
congruence modulo p, and we use a—! to mean the inverse of a modulo p): 


(a7 r2)2°* = get") = gP-/2 — (*) 1. 
Pp 

We must then modify r by a suitable 2%-th root of unity to get an x such 
that x/a is 1. To do this, we claim that b is a primitive 2°-th root of unity, 
which means that all 2%-th roots of unity are powers of b. To see this, first we 
note that b is a 2%-th root of 1, because b?” = n?"* = nP-! = 1. If b weren’t 
primitive, there would be a lower power (a divisor of 2%) of b that gives 1. 
But then b would be an even power of a primitive 2%-th root of unity, and 
so would be a square in F5. This is impossible, because (2) = (3)° =-1 
(since s is odd and n is a nonresidue). Thus, b is a primitive 2%-th root 
of unity. So it remains to find a suitable power b’, 0 < j < 2%, such that 
x = b’r gives the desired square root of a. To do that, we write j in binary 
as j = jo + 291 + 472 +--+» + 2%-*ja~-2, and show how one successively 
determines whether jo, j1,... is 0 or 1. (Note that we may suppose that 
j < 2°71, since 62*"" = —1, and so j can be modified by 2°! to give 
another j for which b’r is the other square root of a.) Here is the inductive 
procedure for determining the binary digits of j: 
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1. Raise (r?/a) to the 2*-?-th power. We proved that the square of this 
is 1. Hence, you get either +1. If you get 1, take jo = 0; if you get —1, 
take jo = 1. Notice that jo has been chosen so that ((b%°r)?/a) is a 
2°-2.th root of unity. 

2. Suppose you’ve found jo,...,3,—1 such that (piot2ir te +28 Gea)? /q 
is a 2°—*-1-th root of unity, and you want to find j,. Raise this number 
to half the power that gives 1, and choose j, according to whether you 
get +1 or —1: 


ga-k—-2 


it (ema ={} 


a 


then take 3, = 17 , Tespectively. 


We easily check that with this choice of 7, the “corrected” value comes 
closer to being a square root of a, i.e., we find that (biot+2/1+-+2" kp)? /q 
is a 2°—*-2_th root of unity. 

When we get to k = a — 2 and find jg_2, we then have 


(biotite 42°%ja-ap)2 /q = 1, 


i.e., br is a square root of a, as desired. 

Example 3. Use the above algorithm to find a square root of a = 186 
modulo p = 401. 

Solution. The first nonresidue is n = 3. We have p— 1 = 24 - 25, 
and so b = 375 = 268 and r = a!S = 103 (where we use equality to 
denote congruence modulo p). After first computing a~! = 235, we note 
that r?/a = 98, which must be an 8-th root of 1. We compute that 98* = —1, 
and so jo = 1. Next, we compute (br)?/a = —1. Since the 2-nd power of 
this is 1, we have 7; = 0, and then j2 = 1. Thus, 7 = 5 and the desired 
square root is b°r = 304. 

Remarks. 1. The easiest case of this algorithm occurs when p is a 
prime which is = 3 mod 4. Then a = 1, s = (p—1)/2, so (s+1)/2 = (p+1)/4, 
and we see that z = r = a‘?+1)/4 is already the desired square root. 

2. We now discuss the time estimate for this algorithm. We suppose 
that we start already knowing the information that n is a nonresidue. The 
steps in finding s, b, and r = a(*+)/2 (working modulo p, of course) take at 
most O(log?p) bit operations (see Proposition 1.3.6). Then in finding j the 
most time-consuming part of the k-th induction step is raising a number to 
the 2°-*-?-th power, and this means a — k — 2 squarings mod p of integers 
less than p. Since a — k — 2 < a, we have the estimate O(a logp) for 
each step. Thus, since there are a — 1 steps, the final estimate is O(log?p + 
a*log*p) = O(log*p(log p + a”)). At worst (if almost all of p—1 is a power 
of 2), this is O(log*p), since a < logap = O(log p). Thus, given a nonresidue 
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modulo p, we can extract square roots mod p in polynomial time (bounded 
by the fourth power of the number of bits in p). 

3. Strictly speaking, it is not known (unless one assumes the validity 
of the so-called “Riemann Hypothesis”) whether there is an algorithm for 
finding a nonresidue modulo p in polynomial time. However, given any 
€ > 0 there is a polynomial time algorithm that finds a nonresidue with 
probability greater than 1 — «. Namely, a randomly chosen number n, 0 < 
n < p, has a 50% chance of being a nonresidue, and this can be checked 
in polynomial time (see Exercise 17 below). If we do this for more than 
loga(1/e) different randomly chosen n, then with probability > 1 — € at 
least one of them will be a nonresidue. 


Exercises 


1. Make a table showing all quadratic residues and nonresidues modulo 
p for p = 3, 5, 7, 13, 17, 19. 

2. Suppose that p\2?" +1, where k > 1. 

(a) Use Exercise 4 of §1.4 to prove that p = 1 mod 2*+1 
(b) Use Proposition II.2.4 to prove that p = 1 mod 2*+? 
(c) Use part (b) to prove that 216 + 1 is prime. 

3. How many 84-th roots of 1 are there in the field of 11° elements? 

4. Prove that (=) = 1if p =1 or 3 mod 8, and (3) =-1 if p =5 or 
7 mod 8. 

5. Find (24) using quadratic reciprocity. 

6. Find the Gauss sum G = ee (2) (here € is a q-th root of 1 in F,s, 
where pf = 1 mod q) when: 

(a) q=7, p= 29, f =1,€=7; 
(b) q=5, p=19, f =2, € = 2 — 44, where 7 is a root of X? + 1; 
(c) q=7, p= 13, f =2, £=4+ a, where a is a root of X? — 2. 

7. Let m=a*t+1, a> 2. Find a positive integer z between 0 and m/2 
such that x? = 2 mod m. Use this to find 2 in F, when p is each of 
the following: the Fermat primes 17, 257, 65537; p = 41 = (34 + 1)/2, 
p = 1297, and p = 1201. (Hint: see the proof of Proposition II.2.4.) 

8. Let p and q be two primes with g = 1 mod p. Let & be a primitive p-th 
root of unity in F,. Find a formula in terms of € for a square root of 
(=")p in Fy. 

9. (a) Let m = a? —1, where p is an odd prime and a > 2. Find a positive 
integer x between 0 and m/2 such that 2? = (=)p mod m. Use this 
to find V5 in F3), V7 in F497, V13 in Fgi91, and J/-7 in Fj993. 

(b) If ¢g = 2? — 1 is a Mersenne prime, find an expression for the least 
positive integer whose square is = (=*)p mod q. 
10. Evaluate the Legendre symbol (330t) (a) using the reciprocity law only 
for the Legendre symbol (i.e., factoring all numbers that arise), and (b) 


11. 


12. 


13. 


14. 
15. 


16. 


17. 


18. 


19. 


20. 
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without factoring any odd integers, instead using the reciprocity law 
for the Jacobi symbol. 

Evaluate the following Legendre symbols: 

(a) (3); (b) (39); (c) (25); (d) (3); (e) (senaeeaas )3 (f) (283); 


43691 
( ) 65837 


(a) Let p be an odd prime. Prove that —3 is a residue in F, if and only 
if p= 1 mod 3. 

(b) Prove that 3 is a quadratic nonresidue modulo any Mersenne prime 
greater than 3. 

Find a condition on the last decimal digit of p which is equivalent to 
5 being a square in F,. 

Prove that a quadratic residue can never be a generator of FS. 

Let p be a Fermat prime. 

(a) Show that any quadratic nonresidue is a generator of F5. 

(b) Show that 5 is a generator of FJ, except in the case p = 5. 

(c) Show that 7 is a generator of Ff, except in the case p = 3. 

Let p be a Mersenne prime, let q = p*, and let i be a root of X7+1=0, 
so that F, = F,(#). 

(a) Suppose that the integer a? + b? is a generator of F5. Prove that 
a+ bi is a generator of F*. 

(b) Show that either 4 +72 or 3 + 2: will serve as a generator of F3,2. 
Let p be an odd prime and a be an integer between 1 and p — 1. 
Estimate in terms of p the number of bit operations needed to compute 
({) (a) using the reciprocity law for the Jacobi symbol, and (b) using 
Proposition II.2.2 and Proposition 1.3.6. 

(a) Let p be an odd prime, and let a, b, c be integers with p Ja. 
Prove that the number of solutions x € {0, 1, 2,...,p — 1} to the 
congruence az? + bx + c = 0 mod p is given by the formula 1 + (2), 
where D = b? — 4ac is the discriminant. 

(b) How many solutions in F3 are there to each of the following equa- 
tions: (i) z? + 1 = 0; (ii) 7 ++ 2+1 =0; (iii) x? + 21z — 11 = 0; (iv) 
x? +2+21=0; (v) 2? — 42 —13 = 0? 

(c) How many solutions in F997 are there to each of the equations in 
part (b)? 

Let p = 2081, and let n be the smallest positive nonresidue modulo p. 
Find n, and use the method in the text to find a square root of 302 
modulo p. 

Let m = py!---p%" be an odd integer, and suppose that a is prime 
to m and is the square of some integer modulo m. Your object is to 
find x such that 2? = a mod m. Suppose that for each 7 you know a 
nonresidue modulo p,, i.e., an integer n; such that (3) =-1. 

(a) For each fixed p = p; and a = aj, suppose you use the algorithm 
in the text to find some zo such that 22 = a mod p. Show how you can 
then find some x = 29 + 21p+:--+2%q_1p%~! such that x2? = a mod p*. 
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22. 


23. 
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(b) Describe how to find an x such that x? = a mod m. 

The technique in parts (a)—(b) of this exercise is known as “lifting” a 
square root from F,, (1 < j <r) to Z/mZ. 

In the text we saw that if n is an odd prime and g.c.d.(b,n) = 1, then 


p(r-1)/2 = (2) mod n. (*) 


The purpose of this exercise is to show that, if n is an odd composite 
integer, then the relation (*) is false for at least 50% of all b for which 
g.c.d.(b,n) = 1. 

(a) Prove that if (+) is true for b; and is false for b, then it is false for 
the product bb. Use this to prove that if (+) is false for even a single 
b, then the number of b’s for which it is false is at least as great as the 
number of b’s for which it is true. 

(b) If n is divisible by the square of a prime p, show how to find an 
integer b prime to n such that b("—1)/2 is not = +1 mod n. 

(c) If n is a product of distinct primes, if p is one of those primes, and 
if b has the property that (2) = —1 and b=1 mod n/p, prove that (*) 
fails for b. Then show that such a b always exists. 

Explain why the following probabilistic algorithm gives a square root 
of a modulo p: Choose ¢ in F, at random until you find ¢ such that 
t? — a is a nonsquare modulo p. Let a denote the element Vt? — a in 
the quadratic extension F,2. Then compute b = (t + a)(?+1)/?, Show 
that b is in F, and has the property that b? = a. 

Suppose that p is a prime = 1 mod 4, and suppose you have found 
a quadratic nonresidue n. Describe an algorithm for expressing p as a 
sum of two squares p = c? + d? that takes time O(log?p). 
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II] 
Cryptography 


1 Some simple cryptosystems 


Basic notions. Cryptography is the study of methods of sending messages 
in disguised form so that only the intended recipients can remove the dis- 
guise and read the message. The message we want to send is called the 
plaintext and the disguised message is called the ciphertext. The plaintext 
and ciphertext are written in some alphabet (usually, but not always, they 
are written in the same alphabet) consisting of a certain number N of let- 
ters. The term “letter” (or “character” ) can refer not only to the familiar 
A—2Z, but also to numerals, blanks, punctuation marks, or any other sym- 
bols that we allow ourselves to use when writing the messages. (If we don’t 
include a blank, for example, then all of the words are run together, and 
the messages are harder to read.) The process of converting a plaintext to 
a ciphertext is called enciphering or encryption, and the reverse process is 
called deciphering or decryption. 

The plaintext and ciphertext are broken up into message units. A mes- 
sage unit might be a single letter, a pair of letters (digraph), a triple of 
letters (trigraph), or a block of 50 letters. An enciphering transformation is 
a function that takes any plaintext message unit and gives us a ciphertext 
message unit. In other words, it is a map f from the set P of all possible 
plaintext message units to the set C of all possible ciphertext message units. 
We shall always assume that f is a 1-to-1 correspondence. That is, given a 
ciphertext message unit, there is one and only one plaintext message unit 
for which it is the encryption. The deciphering transformation is the map 
f—: which goes back and recovers the plaintext from the ciphertext. We 
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can represent the situation schematically by the diagram 
f -1 
P—C—P. 


Any such set-up is called a cryptosystem. 

The first step in inventing a cryptosystem is to “label” all possible 
plaintext message units and all possible ciphertext message units by means 
of mathematical objects from which functions can be easily constructed. 
These objects are often simply the integers in some range. For example, 
if our plaintext and ciphertext message units are single letters from the 
26-letter alphabet A—Z, then we can label the letters using the integers 
0, 1, 2,..., 25, which we call their “numerical equivalents.” Thus, in place 
of A we write 0, in place of S we write 18, in place of X we write 23, and so 
on. As another example, if our message units are digraphs in the 27-letter 
alphabet consisting of A—Z and a blank, we might first let the blank have 
numerical equivalent 26 (one beyond Z), and then label the digraph whose 
two letters correspond to z, y € {0, 1, 2,..., 26} by the integer 


27x +y € {0, 1,..., 728}. 


Thus, we view the individual letters as digits to the base 27 and we view 
the digraph as a 2-digit integer to that base. For example, the digraph 
“NO” corresponds to the integer 27 - 13 + 14 = 365. Analogously, if we 
were using trigraphs as our message units, we could label them by integers 
7292+27y+z € {0,1,..., 19682}. In general, we can label blocks of k letters 
in an N-letter alphabet by integers between 0 and N* — 1 by regarding each 
such block as a k-digit integer to the base N. 

In some situations, one might want to label message units using other 
mathematical objects besides integers — for example, vectors or points on 
some curve. But for the duration of this section we shall use integers. 

Examples. Let us start with the case when we take a message unit 
(of plaintext or of ciphertext) to be a single letter in an N-letter alphabet 
labeled by the integers 0, 1, 2,..., N—1. Then, by definition, an enciphering 
transformation is a rearrangement of these N integers. 

To facilitate rapid enciphering and deciphering, it is convenient to have 
a relatively simple rule for performing such a rearrangement. One way is to 
think of the set of integers {0, 1, 2,..., MN —1} as Z/NZ, and make use of 
the operations of addition and multiplication modulo N. 

' Example 1, Suppose we are using the 26-letter alphabet A—Z with 
numerical equivalents 0—25. Let the letter P € {0, 1,..., 25} stand for a 
plaintext message unit. Define a function f from the set {0, 1,..., 25} to 
itself by the rule 

_jJP+3, if < 23, 
HEY es if x > 23. 


In other words, f simply adds 3 modulo 26: f(P) = P +3 mod 26. The 
definition using modular arithmetic is easier to write down and work with. 
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Thus, with this system, to encipher the word “YES” we first convert to 
numbers: 24418, then add 3 modulo 26: 1721, then translate back to let- 
ters: “BHV.” To decipher a message, one subtracts 3 modulo 26. For exam- 
ple, the ciphertext “ZKB” yields the plaintext “WHY.” This cryptosystem 
was apparently used in ancient Rome by Julius Caesar, who supposedly 
invented it himself. 

Example 1 can be generalized as follows. Suppose we are using an 
N-letter alphabet with numerical equivalents 0, 1,..., N — 1. Let b bea 
fixed integer. By a shift transformation we mean the enciphering function f 
defined by the rule C = f(P) = P+b mod N. Julius Caesar’s cryptosystem 
was the case N = 26, b = 3. To decipher a ciphertext message unit C € 
{0, 1,..., N —1}, we simply compute P = f-'(C)=C —b mod N. 

Now suppose that you are not privy to the enciphering and deciphering 
information, but you would nevertheless like to be able to read the coded 
messages. This is called breaking the code, and the science of breaking codes 
is called cryptanalysis. 

In order to break a cryptosystem, one needs two types of information. 
The first is the general nature (the structure) of the system. For example, 
suppose we know that the cryptosystem uses a shift transformation on single 
letters of the 26-letter alphabet A—Z with numerical equivalents 0—25, 
respectively. The second type of information is knowledge of a specific choice 
of certain parameters connected with the given type of cryptosystem. In our 
example, the second type of information one needs to know is the choice 
of the shift parameter b. Once one has that information, one can encipher 
and decipher by the formulas C = P +b mod N and P=C—bmod N. 

We shall always assume that the general structural information is al- 
ready known. In practice, users of cryptography often have equipment for 
enciphering and deciphering which is constructed to implement only one 
type of cryptosystem. Over a period of time the information about what 
type of system they’re using might leak out. To increase their security, 
therefore, they frequently change the choice of parameters used with the 
system. For example, suppose that two users of the shift cryptosystem are 
able to meet once a year. At that time they agree on a list of 52 choices of 
the parameter b, one for each week of the coming year. 

The parameter b (more complicated cryptosystems usually have several 
parameters) is called a key, or, more precisely, the enciphering key. 

Example 2. So suppose that we intercept the message “FQOCUDEM”, 
which we know was enciphered using a shift transformation on single letters 
of the 26-letter alphabet, as in the example above. It remains for us to find 
the b. One way to do this is by frequency analysis. This works as follows. 
Suppose that we have already intercepted a long string of ciphertext, say 
several hundred letters. We know that “E” is the most frequently occurring 
letter in the English language. So it is reasonable to assume that the most 
frequently occurring letter in the ciphertext is the encryption of E. Suppose 
that we find that “U” is the most frequently occurring character in the 
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ciphertext. That means that the shift takes “E”=4 to “U”=20, ie., 20 = 
4+b mod 26, so that b = 16. To decipher the message, then, it remains for 


us to subtract 16 (working modulo 26) from the numerical equivalents of 
“FQOCUDEM”: 


“FQOCUDEM” = 516142203412 nw 
150 24124131422 = “PAYMENOW”. 


In the case of a shift encryption of single letters of a 26-letter alphabet, 
it is not even necessary to have a long string of ciphertext to find the most 
frequently occurring letter. After all, there are only 26 possibilities for b, 
and one can simply run through all of them. Most likely, only one will give 
a message that makes any sense, and that b is the enciphering key. 

Thus, this type of cryptosystem is too simple to be much good. It is 
too easy to break. An improvement is to use a more general type of trans- 
formation of Z/NZ, called an affine map: C = aP +b mod N, where a and 
b are fixed integers (together they form the enciphering key). For example, 
working again in the 26-letter alphabet, if we want to encipher our mes- 
sage “PAYMENOW?” using the affine transformation with enciphering key 
a=7, b=12, we obtain: 15024124131422 + 131224181425610= 
“NMYSOZGk”. 

To decipher a message that was enciphered by means of the affine map 
C = aP +b mod N, one simply solves for P in terms of C, obtaining 
P=adC+0' mod N, where a’ is the inverse of a modulo N and 0’ is 
equal to —a~1b. Note that this works only if g.c.d.(a,N) = 1; otherwise, 
we cannot solve for P in terms of C. If g.c.d.(a,N) > 1, then it is easy 
to see that more than one plaintext letter will give the same ciphertext 
letter, so we cannot uniquely recover the plaintext from the ciphertext. By 
definition, that is not an enciphering transformation: we always require that 
the map be 1-to-1, i.e., that the plaintext be uniquely determined from the 
ciphertext. To summarize, an affine cryptosystem in an N-letter alphabet 
with parameters a € (Z/NZ)* and b € Z/NZ consists of the rules: 


C=aP+bmod N, P=aC+0' mod N, 


where 
a’ =a! in (Z/NZ)*, b! = —a~1b. 

As a special case of the affine cryptosystems we can set a = 1, thereby 
obtaining the shift transformations. Another special case is when b = 0: 
P = aC mod N, C = a“'P mod N. The case b = 0 is called a linear 
transformation, meaning that the map takes a sum to a sum, i.e., if C) is 
the encryption of P; and C2 is the encryption of P2, then C; + C2 is the 
encryption of P, + P2 (where, of course, we are adding modulo N). 

Now suppose that we know that an intercepted message was enciphered 
using an affine map of single letters in an N-letter alphabet. We would like 
to determine the enciphering key a, b so that we can read the message. We 
need two bits of information to do this. 
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Example 3. Still working in our 26-letter alphabet, suppose that we 
know the most frequently occurring letter of ciphertext is “K”, and the sec- 
ond most frequently occurring letter is “D”. It is reasonable to assume that 
these are the encryptions of “E” and “T”, respectively, which are the two 
most frequently occurring letters in the English language. Thus, replacing 
the letters by their numerical equivalents and substituting for P and C in 
the deciphering formula, we obtain: 


10a’ + b' = 4 mod 26, 
3a’ + b' = 19 mod 26. 


We have two congruences with two unknowns, a’ and b’. The quickest way 
to solve is to subtract the two congruences to eliminate b’. We obtain 7a’ = 
11 mod 26, and a’ = 7-111 = 9 mod 26. Finally, we obtain b’ by substituting 
this value for a’ in one of the congruences: b’ = 4 — 10a’ = 18 mod 26. So 
messages can be deciphered by means of the formula P = 9C + 18 mod 26. 

Recall from linear algebra that n equations suffice to find n unknowns 
only if the equations are independent (i.e., if the determinant is nonzero). 
For example, in the case of 2 equations in 2 unknowns this means that the 
straight line graphs of the equations intersect in a single point (are not par- 
allel). In our situation, when we try to cryptanalyze an affine system from 
the knowledge of the two most frequently occurring letters of ciphertext, 
we might find that we cannot solve the two congruences uniquely for a’ and 
b'. 

Example 4. Suppose that we have a string of ciphertext which we know 
was enciphered using an affine transformation of single letters in a 28-letter 
alphabet consisting of A—Z, a blank, and ?, where A—Z have numerical 
equivalents 0—25, blank=26, ?=27. A frequency analysis reveals that the 
two most common letters of ciphertext are “B” and “?”, in that order. Since 
the most common letters in an English language text written in this 28- 
letter alphabet are “ ” (blank) and “EB”, in that order, we suppose that “B” 
is the encryption of “ ” and “?” is the encryption of “E”. This leads to the 
two congruences: a’ + b! = 26 mod 28, 27a’ + b! = 4 mod 28. Subtracting 
the two congruences, we obtain: 2a’ = 22 mod 28, which is equivalent to 
the congruence a’ = 11 mod 14. This means that a’ = 11 or 25 mod 28, and 
then b! = 15 or 1 mod 28, respectively. The fact of the matter is that both 
of the possible affine deciphering transformations 11C + 15 and 25C +1 
give “ ” and “BE” as the plaintext letters corresponding to “B” and “?”, 
respectively. At this point we could try both possibilities, and see which 
gives an intelligible message. Or we could continue our frequency analysis. 
Suppose we find that “I” is the third most frequently occurring letter of 
ciphertext. Using the fact that “T” is the third most common letter in 
the English language (of our 28 letters), we obtain a third congruence: 
8a’ +b’ = 19 mod 28. This extra bit of information is enough to determine 
which of the affine maps is the right one. We find that it is 11C' + 15. 
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Digraph transformations. We now suppose that our plaintext and ci- 
phertext message units are two-letter blocks, called digraphs. This means 
that the plaintext is split up into two-letter segments. If the entire plaintext 
has an odd number of letters, then in order to obtain a whole number of 
digraphs we add on an extra letter at the end; we choose a letter which 
is not likely to cause confusion, such as a blank if our alphabet contains a 
blank, or else “X” or “Q” if we are using just the 26-letter alphabet. 

Each digraph is then assigned a numerical equivalent. The simplest 
way to do this is to take N+ y, where z is the numerical equivalent of the 
first letter in the digraph, y is the numerical equivalent of the second letter 
in the digraph, and N is the number of letters in the alphabet. Equivalently, 
we think of a digraph as a 2-digit base-N integer. This gives a 1-to-1 corre- 
spondence between the set of all digraphs in the N-letter alphabet and the 
set of all nonnegative integers less than N? We described this “labeling” of 
digraphs before in the special case when N = 27. 

Next, we decide upon an enciphering transformation, i.e., a rearrange- 
ment of the integers {0, 1, 2,..., N? —1}. Among the simplest enciphering 
transformations are the affine ones, where we view this set of integers as 
Z/N?Z, and define the encryption of P to be the nonnegative integer less 
than N? satisfying the congruence C = aP + b mod N? Here, as before, 
a must have no common factor with N (which means it has no common 
factor with N*), in order that we have an inverse transformation telling 
us how to decipher: P = a’C +b’ mod N?, where a’ = a~! mod N? 
b' = —a~1b mod N? We translate C into a two-letter block of ciphertext 
by writing it in the form C = 2’ N +} and then looking up the letters with 
numerical equivalents x’ and y! 

Example 5. Suppose we are working in the 26-letter alphabet and using 
the digraph enciphering transformation C = 159P+580 mod 676. Then the 
digraph “NO” has numerical equivalent 13 - 26 + 14 = 352 and is taken to 
the ciphertext digraph 159 - 352 + 580 = 440 mod 676, which is “QY” The 
digraph “ON” has numerical equivalent 377, and is taken to 359=“NV” 
Notice that the digraphs change as a unit, and there is no relation between 
the encryption of one digraph and that of another one that has a letter in 
common with it or even consists of the same letters in the reverse order. 

To break a digraphic encryption system which uses an affine transfor- 
mation C = aP+b mod N? we need to know the ciphertext corresponding to 
two different plaintext message units. Since the message units are digraphs, 
a frequency analysis means counting which two-letter blocks occur most 
often in a long string of ciphertext (of course, counting only those occur- 
rences where the first letter begins a message unit, ignoring the occurrences 
of the two letters which straddle two message units), and comparing with 
the known frequency of digraphs in English language texts (written in the 
same alphabet). For example, if we use the 26-letter alphabet, statistical 
analyses seem to show that “TH” and “HE” are the two most frequently 
occurring digraphs, in that order. Knowing two plaintext—ciphertext pairs 
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of digraphs is often (but not always) enough to determine a and b. 

Example 6. You know that your adversary is using a cryptosystem with 
a 27-letter alphabet, in which the letters A—Z have numerical equivalents 
0—25, and blank=26. Each digraph then corresponds to an integer between 
0 and 728 = 27? — 1 according to the rule that, if the two letters in the 
digraph have numerical equivalents x and y, then the digraph has numerical 
equivalent 27x + y, as explained earlier. Suppose that a study of a large 
sample of ciphertext reveals that the most frequently occurring digraphs are 
(in order) “ZA” “IA” and “IW” Suppose that the most common digraphs in 
the English language (for text written in our 27-letter alphabet) are “E ” 
(i.e., “E blank”), “S * “ T” You know that the cryptosystem uses an affine 
enciphering transformation modulo 729. Find the deciphering key, and read 
the message “NDXBHO” Also find the enciphering key. 

Solution. We know that plaintexts are enciphered by means of the rule 
C = aP +b mod 729, and that ciphertexts can be deciphered by means of 
the rule P = a'C + b' mod 729; here a, b form the enciphering key, and 
a, b' form the deciphering key. We first want to find a’ and b! We know how 
three digraphs are deciphered, and, after we replace the digraphs by their 
numerical equivalents, this gives us the three congruences: 


675a’ + b' = 134 mod 729, 
216a’ + b’ = 512 mod 729, 
238a’ + b’ = 721 mod 729. 


If we try to eliminate b’ by subtracting the first two congruences, we arrive 
at 459a’ = 351 mod 729, which does not have a unique solution a’ mod 729 
(there are 27 solutions). We do better if we subtract the third congruence 
from the first, obtaining 437a’ = 142 mod 729. To solve this, we must find 
the inverse of 437 modulo 729. By way of review of the Euclidean algorithm, 
let’s go through that in detail: 


729 = 437 + 292 
437 = 292 + 145 


292 = 2-145+2 
145 = 72-241 
and then 
1=145 —72-2 


= 145 — 72(292 — 2-145) 

= 145-145 — 72-292 

= 145(437 — 292) — 72 - 292 
= 145 - 437 — 217 - 292 

= 145 - 437 — 217(729 — 437) 
= 362 - 437 mod 729. 
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Thus, a’ = 362 - 142 = 374 mod 729, and then b! = 134 — 675 - 374 = 
647 mod 729. Now applying the deciphering transformation to the digraphs 
“ND”, “XB” and “HO” of our message — they correspond to the integers 
354, 622 and 203, respectively — we obtain the integers 365, 724 and 24. 
Writing 365 = 13-27+14, 724 = 26-27+22, 24 = 0-27+ 24, we put together 
the plaintext digraphs into the message “NO WAY” Finally, to find the 
enciphering key we compute a = a!’ = 374-1 = 614 mod 729 (again using 
the Euclidean algorithm) and b = —a’~'b! = —614 - 647 = 47 mod 729. 


Remark. Although affine cryptosystems with digraphs (i.e., modulo 
N?) are better than the ones using single letters (i.e., modulo N), they also 
have drawbacks. Notice that the second letter of each ciphertext digraph 
depends only on the second letter of the plaintext digraph. This is because 
that second letter depends on the mod-N value of C = aP + b mod N?, 
which depends only on P modulo N, i.e., only on the second letter of the 
plaintext digraph. Thus, one could obtain a lot of information (namely, 
a and b modulo N) from a frequency analysis of the even-numbered let- 
ters of the ciphertext message. A similar remark applies to mod-N* affine 
transformations of k-letter blocks. 


Exercises 


1. Incertain computer bulletin-board systems it is customary, if you want 
to post a message that may offend some people (e.g., a dirty joke), to 
encipher the letters (but not the blanks or punctuation) by a trans- 
lation C = P +b mod 26. It is then easy to decipher the text if one 
wants to, but no one is forced to see a message that jars on the nerves. 
Decipher the punchline of the following story (use frequency analysis 
to find b): At an international convention of surgeons, representatives 
of different countries were comparing notes on recent advances in reat- 
taching severed parts of the body. The French, Americans and Russians 
were being especially boastful. The French surgeon said, “We sewed a 
leg on an injured runner, and a year later he placed in a national 
1000-meter race.” “Using the most advanced surgical procedures,” the 
Russian surgeon chimed in, “we were able to put back an athlete’s 
entire arm, and a year later with the same arm he established a new 
world record for the shot put.” But they all fell silent when the Amer- 
ican, not to be outdone, announced that “Jr frjrq n fzvyr ba n ubefr’f 
nff, naq n Irne yngre vg jnf ryrpgrq Cerfvqrag!” (Note: We are using 
a 26-letter alphabet, but we have inserted blanks and punctuation for 
ease of reading.) 

2. Using frequency analysis, cryptanalyze and decipher the following mes- 
sage, which you know was enciphered using a shift transformation of 
single-letter plaintext message units in the 26-letter alphabet: 

PXPXKXENVDRUXVTNLXHYMXGMAXYKXJN 
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XGVRFXMAHWGXXWLEHGZXKVBIAXKMXQM. 
In the 27-letter alphabet (with blank=26), use the affine encipher- 
ing transformation with key a = 13, b = 9 to encipher the message 
“HELP ME.” 
In a long string of ciphertext which was encrypted by means of an 
affine map on single-letter message units in the 26-letter alphabet, 
you observe that the most frequently occurring letters are “Y” and 
“Vv”, in that order. Assuming that those ciphertext message units 
are the encryption of “E” and “T”, respectively, read the message 
“QAOOYQQEVHEQV”. 
You are trying to cryptanalyze an affine enciphering transforma- 
tion of single-letter message units in a 37-letter alphabet. This al- 
phabet includes the numerals 0-9, which are labeled by themselves 
(ie., by the integers 0-9). The letters A—Z have numerical equiva- 
lents 10—35, respectively, and blank=36. You intercept the ciphertext 
“OH7F86BB46R36270266BB9” (here the O’s are the letter “oh”, not 
the numeral zero). You know that the plaintext ends with the signature 
“007” (zero zero seven). What is the message? 
You intercept the ciphertext “OF JDFOHFXOL.”, which was enciphered 
using an affine transformation of single-letter plaintext units in the 27- 
letter alphabet (with blank=26). You know that the first word is “I ” 
(“I” followed by blank). Determine the enciphering key, and read the 
message. 
(a) How many different shift transformations are there with an N-letter 
alphabet? 
(b) Find a formula for the number of different affine enciphering trans- 
formations there are with an N-letter alphabet. 
(c) How many affine transformations are there when N = 26, 27, 29, 
30? 
A plaintext message unit P is said to be fired for a given enciphering 
transformation f if f(P) = P. Suppose we are using an affine enci- 
phering transformation on single-letter message units in an N-letter 
alphabet. In this problem we also assume that the affine map is not a 
shift, ie., that a #1. 
(a) Prove that if N is a prime number, then there is always exactly 
one fixed letter. 
(b) Prove (for any N) that if our affine transformation is linear, i.e., if 
b = 0, then it has at least one fixed letter; and that, if N is even, then 
a linear enciphering transformation has at least two fixed letters. 
(c) Give an example for some N of an affine enciphering transformation 
which has no fixed letter. 
Now suppose that our message units are digraphs in an N-letter al- 
phabet. Find a formula for the number of different affine enciphering 
transformations there are. How many are there when N = 26, 27, 29, 
30? 


10. 


11. 


12. 
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You intercept the ciphertext message “PWULPZTQAWHF” which you 
know was encrypted using an affine map on digraphs in the 26-letter 
alphabet, where, as in the text, a digraph whose two letters have nu- 
merical equivalents x and y corresponds to the integer 262 + y. An ex- 
tensive statistical analysis of earlier ciphertexts which had been coded 
by the same enciphering map shows that the most frequently occurring 
digraphs in all of that ciphertext are “IX” and “TQ”, in that order. It 
is known that the most common digraphs in the English language are 
“TH” and “HE” in that order. 

(a) Find the deciphering key, and read the message. 

(b) You decide to have the intended recipient of the message inca- 
pacitated, but you don’t want the sender to know that anything is 
amiss. So you want to impersonate the sender’s accomplice and reply 
“GOODWORK”. Find the enciphering key, and determine the appro- 
priate ciphertext. 

You intercept the coded message “DXM SCE DCCUVGX ”, which 
was enciphered using an affine map on digraphs in a 30-letter alpha- 
bet, in which A—Z have numerical equivalents 0—25, blank=26, ?=27, 
!=28, ’=29. A frequency analysis shows that the most common di- 
graphs in earlier ciphertexts are “M ”, “U ”, and “IH”, in that order. 
Suppose that in the English language the most frequently occurring 
digraphs (in this particular 30-letter alphabet) are “E ”, “S ”, and 
“ T”, in that order. 

(a) Find the deciphering key, and read the message. 

(b) Find the enciphering key, and encrypt the message “YES I'M JOK- 
ING!” 

The same techniques apply, of course, if one is using some other al- 
phabet besides the Latin alphabet. For example, this exercise uses the 
Russian alphabet (it is not necessary, or even helpful, to know Russian 
or the Cyrillic alphabet in order to do this exercise). Use the following 
numerical equivalents for the Cyrillic alphabet: 


ABBTrAEERK 344A 
01 2 3 4 5 6 7 8 9 10 


K JI M H O WD P C T Y © 
11 12 13 14 15 #16 17 #18 19 20 21 


Xx Tf UW Wb oebpoesewnaA 
22 23 24 25 26 27 #28 #29 30 31 32 


Suppose that you intercept the coded message “I[HTU”, which was 
enciphered using an affine map on digraphs in the above 33-letter al- 
phabet. A frequency analysis of earlier ciphertext shows that the most 
frequently occurring ciphertext digraphs are “IIAl” and “bIT” in that 
order. Suppose it is known that the two most frequently occurring 
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digraphs in the Russian language are “HO” and “ET” Find the deci- 
phering key, and write out the plaintext message. 

Recall from Exercise 8 that a fired plaintext message unit is one that 
the given enciphering transformation keeps the same. Find all fixed 
digraphs for the enciphering transformation in Exercise 11. 

By the product (or composition) of two cryptosystems, we mean the 
cryptosystem that results from enciphering a plaintext using the first 
cryptosystem and then treating the resulting ciphertext as plaintext 
for the second cryptosystem, i.e., encrypting a second time using the 
second system. More precisely, we must assume that the set C; of ci- 
phertext message units for the first cryptosystem is contained in the set 
of plaintext message units for the second system. Let f, and f2 be the 
enciphering functions; then the product cryptosystem is given by the 
enciphering function f = fz 0 fi. If we let I (for “intermediate text” ) 
denote a ciphertext message unit for the first system, and let J =C, 
denote the set of intermediate texts, then the product cryptosystem 
can be represented schematically by the composite diagram: 


pte. 


Prove that: 

(a) The product of two shift enciphering transformations is also a shift 
enciphering transformation. 

(b) The product of two linear enciphering transformations is a linear 
enciphering transformation. 

(c) The product of two affine enciphering transformations is an affine 
enciphering transformation. 

Here is a slightly more complicated cryptosystem, in which the plain- 
texts and ciphertexts are written in different alphabets. We choose an 
N-letter alphabet for plaintexts and an M-letter alphabet for cipher- 
texts, where M > N. As usual, we regard digraphs in the N-letter 
alphabet as two-digit integers written to the base N, i.e., as integers 
between 0 and N? — 1; and we similarly regard digraphs in the M- 
letter alphabet as integers between 0 and M? — 1. Now choose any 
integer L between N? and M?: N? < L < M? Also choose integers 
a and b with g.c.d.(a, L) = 1. We encipher a plaintext digraph P us- 
ing the rule C = aP +6 mod L (in which C is taken to be the least 
nonnegative residue modulo L which satisfies the congruence). (Here 
the set P of all possible digraphs P consists of all integers from 0 to 
N?—1; but the set C of all possible ciphertext digraphs C' in the larger 
alphabet is only part of the integers from 0 to M? — 1, in fact, it is 
the subset of the integers less than L that arises from applying the 
enciphering rule to all possible plaintext digraphs.) Suppose that the 
plaintext alphabet is the 27-letter alphabet (as in Exercise 3), and the 
ciphertext alphabet is the 30-letter alphabet in Exercise 11. Suppose 
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that L = 853. Further suppose that you know that the two most fre- 
quently occurring plaintext digraphs “E ” and “S ” have encryptions 
“FQ” and “LE”, respectively. Find the deciphering key, and read the 
message “YAVAOCH’D!” 

16. Continuing along the lines of Exercise 15, here is an example of how 
one can, without too much extra work, create a cryptosystem that is 
much harder to break. Let f; be one cryptosystem of the type described 
in Exercise 15, i.e., given by the rule f;(P) = a;P + 6; mod Ly, and 
let fo be a second cryptosystem of the same type. Here the N and M 
are the same, but the a’s, b’s and L’s are different. We suppose that 
Lz > Ly. We then construct the product of the two cryptosystems (see 
Exercise 14), i.e., we encrypt a plaintext message unit P by successively 
applying the two rules: 


IT=a,P+b, mod Ly, 
C = agl + be mod Lz. 


(In the first rule J is the nonnegative integer less than L, that satisfies 
the congruence, and in the second rule C is less than L2.) Because the 
moduli L; and Lz are different, Exercise 14(c) does not apply, and this 
product cryptosystem is not generally an affine system. Here we sup- 
pose that the two alphabets of M and N letters are always the same, 
but we are free to frequently change our choice of the parameters aj, 
bi, Li, a2, b2, Le, subject, of course, to the conditions: N? < L; < 
Ly < M?, g.c.d.(a,, L1) = 1, g.c.d.(a2, Lz) = 1. Thus, the enciphering 
key consists of the six-tuple of parameter values {a;, bi, Li, a2, be, Le}. 
Let the plaintext and ciphertext alphabets be as in Exercise 15, con- 
sisting of 27 and 30 letters, respectively. If the enciphering key is 
{247, 109, 757, 675, 402, 881}, explain how to decipher, and decipher 
the message “D!RAJ’KCTN” 
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Suppose we have an N-letter alphabet and want to send digraphs (two- 
letter blocks) as our message units. In §1 we saw how we can let each 
digraph correspond to an integer considered modulo N?, i.e., to an element 
of Z/N?Z. An alternate possibility is to let each digraph correspond to a 
vector, i.e., to a pair of integers (7) with x and y each considered modulo 
N. For example, if we’re using the 26-letter alphabet A—Z with numerical 
equivalents 0—25, respectively, then the digraph NO corresponds to the 
vector G2): See the diagram at the top of the next page. 


We picture each digraph P as a point on an N x N square array. That 
is, we have an “zy-plane,” except that each axis, rather than being a copy 
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Z/NZ 
ND 


Z/NZ 


of the real number line, is now a copy of Z/NZ. Just as the real zy-plane 
is often denoted R? this N x N array is denoted (Z/NZ)? 

Once we visualize digraphs as vectors (points in the plane), we then 
interpret an “enciphering transformation” as a rearrangement of the N x N 
array of points. More precisely, an enciphering map is a 1-to-1 function from 
(Z/NZ)? to itself. 

Remark. For several centuries one of the most popular methods of 
encryption was the so-called “Vigenére cipher.” This can be described as 
follows. For some fixed k, regard blocks of k letters as vectors in (Z/NZ)* 
Choose some fixed vector b € (Z/NZ)* (usually b was the vector corre- 
sponding to some easily remembered “key—word”), and encipher by means 
of the vector translation C = P +b (where the ciphertext message unit C 
and the plaintext message unit P are k-tuples of integers modulo N). This 
cryptosystem, unfortunately, is almost as easy to break as a single-letter 
translation (see Example 1 of the last section). Namely, if one knows (or 
can guess) N and k, then one simply breaks up the ciphertext in blocks of 
k letters and performs a frequency analysis on the first letter in each block 
to determine the first component of b, then the same for the second letter 
in each block, and so on. 

Review of linear algebra. We now review how one works with vectors 
in the real ry-plane and with 2 x 2—matrices with real entries. Recall that, 
given a 2 x 2 array of numbers 


(C 4 and a vector in the plane ) 
c d y 


(we shall write vectors as columns), one can apply the matriz to the vector 
to obtain a new vector, as follows: 
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(< a) (j) = (erat): 


For a fixed matrix, this function from one vector to another vector is called 
a linear transformation, meaning that it preserves sums and constant mul- 
tiples of vectors. Using this notation, we can view any set of simultaneous 
equations of the form ar + by =e, cx +dy = f as equivalent to a single 
matrix equation AX = B, where A denotes the matrix 


(<2): 


X denotes the vector of unknowns (5)> and B denotes the vector of con- 


stants (). Stated in words, the simultaneous equations can thus be in- 
terpreted as asking to find a vector which when “multiplied” by a certain 
known matrix gives a certain known vector. Thus, it is analogous to the 
simple equation az = b, which is solved by multiplying both sides by a~! 
(assuming a # 0). Similarly, one way to solve the matrix equation AX = B 
is to find the inverse of the matrix A, and then apply A~! to both sides to 
obtain the unique vector solution X = A~1B. 
By the inverse of the matrix A we mean the matrix which multiplies 

by it to give the identity matrix 

1 0 

01 


(the matrix which, when applied to any vector, keeps that vector the same). 
But not all matrices have inverses. It is not hard to prove that a matrix 


A=(2 4) 


has an inverse if and only if its determinant D =gez ad — bc is nonzero, and 
that its inverse in that case is 


1f/d -b\_ (Dd -D~b 

D = a} \-D-'c Da ) , 
There are three possibilities for the solutions of the system of simultaneous 
equations AX = B. First, if the determinant D is nonzero, then there 
is precisely one solution X = (=). If D = 0, then either there are no 
solutions or there are infinitely many. The three possibilities have a simple 
geometric interpretation. The two equations give straight lines in the ry- 
plane. If D 4 0, then they intersect in exactly one point (xz, y). Otherwise, 
they are parallel lines, which means either that they don’t meet at all (the 
simultaneous equations have no common solution) or else that they are 
really the same line (the equations have infinitely many common solutions). 
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Next, let us suppose that we have a bunch of vectors X; = Ge)» stony 
X,p= er arranged as the columns of a 2 x k-matrix. Then we define the 


matrix product 


b 1... £ at; +by, ... ar,+by 
AX = a 1 k\_ 1 1 k k 
© 4 G see YR Ff \ cai tdy, ... cop tdy, )’ 
i.e., we simply apply the matrix A to each column vector in order, obtaining 
new column vectors. For example, the product of two 2 x 2—matrices is: 


a b\/a@ b\ _ (aa'+be’ ab’ +bd' 

ec d cod) \ca'+de a): 
Similar facts hold for 3 x 3-matrices, which can be applied to 3-dimensional 
column-vectors, and so on. However, the formulas for the determinant and 
inverse matrix are more complicated. This concludes our brief review of 
linear algebra over the real numbers. 

Linear algebra modulo N. In §1, when we were dealing with single 
characters and enciphering maps of Z/NZ, we found that two easy types 
of maps to work with were: 

(a) “linear” maps C = aP, where a is invertible in Z/NZ; 

(b) “affine” maps C = aP + b, where a is invertible in Z/NZ. 

We have a similar situation when our message units are digraph-vectors. 
We first consider linear maps. The difference when we work with (Z/NZ)? 
rather than Z/NZ is that now instead of an integer a we need a 2x 2-matrix, 
which we shall denote A. We start by giving a systematic explanation of 
the type of matrices we need. 

Let R be any commutative ring, i.e., a set with multiplication and 
addition satisfying the same rules as in a field, except that we do not require 
that any nonzero element have a multiplicative inverse. For example, Z/NZ 
is always a ring, but it is not a field unless N is prime. We let R* denote 
the subset of invertible elements of R. For example, (Z/NZ)* = {0 <j < 
N | g.c.d.(j, N) = 1}. 

If R is a commutative ring, we let M2(R) denote the set of all 2 x 2- 
matrices with entries in R, with addition and multiplication defined in the 
usual way for matrices. We call M2(R) a “matrix ring over R”; M2(R) itself 
is a ring, but it is not a commutative ring, i.e., in matrix multiplication the 
order of the factors makes a difference. 

Earlier in this section, the matrices considered were the case when 
R= R is the ring (actually, field) of real numbers. Recall that a matrix 


(< «) 


with real numbers a, b, c, d has a multiplicative inverse if and only if the 
determinant D = ad — bc is nonzero, and in that case the inverse matrix is 
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D-1d —D-'b 
-D-1¢ D-a )° 
We have a similar situation when we work over an arbitrary ring R. 
Namely, suppose that 


A= (: )) € M2(R) 


and D = det(A) =aef ad — bc is in R* Let D~* denote the multiplicative 
inverse of D in R. Then 


(Se Be (CG al=C GT” pacasad) 


and we obtain the same result 


(0 1) 


if we multiply in the opposite order. Thus, A has an inverse matrix given 
by the same formula as in the real number case: 


A= D-'d —D-b 
—-D-1e D-a }° 
Example 1. Find the inverse of 
2 3 
A= € 4 € M2(Z/26Z). 


Solution. Here D = 2-.8-3-7 = —-5 = 21 in Z/26Z. Since 
g.c.d.(21,26) = 1, the determinant D has an inverse, namely 217! = 5. 


Thus, 
At= 5:8 -5:3\ / 40 -15\  /14 11 
~\-5-7 5-2/7 \-35 10 /° \17 10)° 


14 11 2 3 105 130 1 0 
We check that & io & — Go cn = & i). Here, 


since we are working in Z/26Z, we are using “=” to mean that the en- 
tries are congruent modulo 26. 
Just as in the real number case, a 2 x 2—matrix 


(: «) 
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with entries in a ring R can be multiplied by a column-vector () with 


z, y € R to get a new vector (7): 


GG ea): 


This gives a “linear map” from vectors to vectors, meaning that a linear 
combination Gare). where k, and kg are in the ring R, is taken to 


Ke : kiyitkoy2 
( pai: The only difference with the situation earlier in our review of 
1 2 


linear algebra is that now everything is in our ring R rather than in the 
real numbers. 

We shall want to apply all of this when our ring is R = Z/NZ. The next 
proposition will be stated in that case, although the analogous proposition 
is true for any R. 

Proposition IIT.2.1. Let 


d 


The following are equivalent: 

(a) g.c.d.(D,N)=1; 

(b) A has an inverse matriz; 

(c) if andy are not both 0 in Z/NZ, then A(;) re Ge 
(d) A gives a 1-to-1 correspondence of (Z/NZ)* with itself. 

Proof. We already showed that (a)=>(b). It suffices now to prove that 
(b) = (d= (Cc) 2). 

Suppose that (b) holds. Then part (d) also holds, because A~! gives 
the inverse map from (7) to (ie Next, if we have (d), then (5) # (0) implies 
that A(t) # A(}) = (9), and so (c) holds. Finally, we prove (c)=>(a) by 
showing that (a) false ==> (c) false. So suppose that (a) is false, and set 
m = g.c.d.(D, N) > 1 and let m’ = N/m. Three cases are possible. 

Case (i). If all four entries of A are divisible by m, set (5) = (@); to 
get a contradiction to (c). 

Case (ii). If a and b are not both divisible by m, set () = Ge): 
Then 


Al) = (6 a) Com) = (<a) = Com.) = (0) 
y) \cd am’ —cbm' + dam! } ~ \ Dm' 0)’ 
because m|D and so N = mm’'|Dm! 

Case (iii). If c and d are not both divisible by m, set (f) = (=) , and 
proceed as in case (ii). These three cases exhaust all possibilities. Thus, (a) 
false implies (c) false. This completes the proof of Proposition III.2.1. 

Example 2. Solve the following systems of simultaneous congruences: 


a~(é i) € Ma(Z/N2) and set D = ad — be. 
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(a) 
2x + 3y = 1 mod 26, 


7x + 8y = 2 mod 26; 


(b) 
2+ 3y =1 mod 26, 


7x + 9y = 2 mod 26; 


(c) 
2+ 3y =1 mod 26, 


7x + 9y = 1 mod 26. 


Solution. The matrix form of the system (a) is AX = B mod 26, where 
A is the matrix in Example 1, X = Gy and B = (3). We obtain the unique 


solution 
= y-ip. fie Ly. 2/10 
X=A B=(t tH GEG mod 26. 


The matrix of the systems (b)~(c) does not have an inverse modulo 26, since 
its determinant is 14, which has a common factor of 2 with 26. However, we 
can work modulo 13, i.e., we can find the solution to the same congruence 
mod 13 and see if it gives a solution which works modulo 26. Modulo 13 


we obtain Gets 


(where (§) = (5) in part (b) and ({) in part (c)). This gives = (3) and 
(8) mod 13, respectively. Testing the possibilities modulo 26, we find that 
in part (b) there are no solutions, and in part (c) there are two solutions: 
z=6, y=7 and z=19, y = 20. 

Another way to solve systems of equations (preferable sometimes, espe- 
cially when the matrix is not invertible) is to eliminate one of the variables 
(e.g., in parts (b) and (c), one could subtract 7 times the first congruence 
from the second). 

To return to cryptography, we see from Proposition III.2.1 that we can 
get enciphering transformations of our digraph-vectors by using matrices 
A € M2(Z/NZ) whose determinant has no common factor with N: 


A= (: Ay D =ad — be, g.c.d.(D, N) = 1. 


Namely, each plaintext message unit P = (5) is taken to a ciphertext 
C= (7,) by the rule 
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: z'\ (a b\(z 
cna im (B)=(2 0) 


To decipher a message, we simply apply the inverse matrix: 


ee eer : z\ (Dd —D~'b\ (2' 
P=A-AP=AC, ie., (\-( 54 D-a er 


Example 3. Working in the 26-letter alphabet, use the matrix A in 
Example 1 to encipher the message unit “NO.” 
Solution. We have: 


2 3 13 68 16 

wr=(3 2) ()=(88)=(8) 
and so C' = AP is “QV.” 

Remark. To encipher a plaintext sequence of k digraphs P = P; P2P3.--- 
P,, we can write the k vectors as columns of a 2 x k-matrix, which we also 
denote P, and then multiply the 2 x 2—-matrix A by the 2 x k-matrix P to 
get a 2 x k-matrix C = AP of coded digraph-vectors. 

Example 4. Continue as in Example 3 to encipher the plaintext 
“NOANSWER.” 

Solution. The numerical equivalent of “NOANSWER” is the sequence 
of vectors (73) (1°) (58) (77). We have 


C=AP= 2 3 13 0 18 4\ / 68 39 102 59 
J “\7 8 14 13 22 17) \203 104 302 164 
_ (16 13 24 7 
~\21 0 16 8)’ 
ie., the coded message is “QVNAYQHI.” 
Example 5. In the situation of Examples 3-4, decipher the ciphertext 


“FWMDIQ.” 
Solution. We have: 


ea oe eae ee ae 
ane c= (17 te 3 a 


019 2\ , : 
-(% ; 0)™ ATTACK. 


As in §1, suppose that we have some limited information from which 
we want to analyze how to decipher a string of ciphertext. We know that 
the “enemy” is using digraph-vectors in an N-letter alphabet and a linear 
enciphering transformation C = AP. However, we do not have the encipher- 
ing “key” — the matrix A — or the deciphering “key” — the matrix A} 
But suppose we are able to determine two pairs of plaintext and ciphertext 
digraphs: C,; = AP, and Cz = AP». Perhaps we learned this information 
from an analysis of the frequency of occurrence of digraphs in a long string 
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of ciphertext. Or perhaps we know from some outside source that a certain 
4-letter plaintext segment corresponds to a certain 4-letter ciphertext. In 
that case we can proceed as follows to determine A and A~! We put the 
two columns P, and P, together into a 2 x 2-matrix P, and similarly for 
the ciphertext columns. We obtain an equation of 2 x 2-matrices: C = AP, 
in which C and P are known to us, and A is the unknown. We can solve 
for A by multiplying both sides by P7?: 


A=APP"'=CP". 
Similarly, from the equation P = A~!C we can solve for A7!: 
APU SPC: 


Example 6. Suppose that we know that our adversary is using a 2 x 2 
enciphering matrix with a 29-letter alphabet, where A—Z have the usual 
numerical equivalents, blank=26, ?=27, !=28. We receive the message 


“GFPYJP X?UYXSTLADPLW,” 


and we suppose that we know that the last five letters of plaintext are our 
adversary’s signature “KARLA.” Since we don’t know the sixth letter from 
the end of the plaintext, we can only use the last four letters to make two 
digraphs of plaintext. Thus, the ciphertext digraphs DP and LW correspond 
to the plaintext digraphs AR and LA, respectively. That is, the matrix P 
made up from AR and LA is the result of applying the unknown deciphering 
matrix A~! to the matrix C made up from DP and LW: 


0 11\ _ Ao 3 11 
17 0} | 15 22)° 
Thus, 


ai-f{® 1)(/3 ny'_(o 1\(/3 13\_ (21 19 
~A\17 «0 15 22 ~\17 (0 23.00 fo N22: IS)" 
and the full plaintext message is 
21 19\/6 15 9 26 27 24 18 11 3 Ii 
22 18/\5 24 15 23 20 23 19 O 15 22 


_ {18 17 10 26 19 13 14 28 0 11 
~“\19 8 4 O 26 14 13 10 17 O 


= “STRIKE AT NOON! KARLA.” 


Remark. In order for this to work, notice that the matrix P formed by 
the two known plaintext digraphs must be invertible, i.e., its determinant D 
must have no common factor with the number of letters N. What if we are 
not so fortunate? If we happen to know another ciphertext-plaintext pair, 
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then we could try to use that pair of columns in place of either the first or 
second columns of P and C, hoping to obtain then an invertible matrix. 
But suppose we have no further information, or that none of the known 
plaintext digraphs give us an invertible matrix P. Then we cannot find 
A! exactly. However, we might be able to get enough information about 
A-! to cut down drastically the number of possibilities for the deciphering 
matrix. We now illustrate this with an example. (For more on this, see the 
exercises at the end of the section.) 

Example 7. Suppose we know than our adversary is using an enci- 
phering matrix A in the 26-letter alphabet. We intercept the ciphertext 
“WKNCCHSSJH,” and we know that the first word is “GIVE.” We want 
to find the deciphering matrix A~! and read the message. 

Solution. If we try to proceed as in Example 6, writing 


io) 9, pe 6 21 
P=‘GIVE -(5 ae 


22 13 


C= ‘“WKNC ~(% 9 


) ; and A= PC™} 

we immediately run into a problem, since det(C) = 18 and g.c.d.(18, 26) = 
2. We can proceed as follows. Let A denote the reduction modulo 13 
of the matrix A, and similarly for P and C’. If we consider these ma- 


trices in M2(Z/13Z), we can take C~1 (more precisely, C a because 
g.c.d.(det(C), 13) = 1. Thus, from P = A *G we can compute 


-1 
3-1 3771 6 8 9 0 2 4 
A =Pe*=(8 6) (io 2) =(5 2): 


Since the entries of A~} which are integers mod 26, must reduce to 


(3 2) 


modulo 13, it follows that there are two possibilities for each entry in the 
matrix A~! More precisely, 


Apes G 2) +134), 


where A; € M2(Z/2Z) is a 2 x 2-matrix of 0’s and 1’s. That leaves 2* = 16 
possibilities. However, in the first place, since A~! is invertible, its deter- 
minant must be prime to 26, and hence also prime to 2 (i-e., odd). This 
consideration rules out all but 6 possibilities for A,. In the second place, 
when we substitute 
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24 
(2 $) sis 
for A} in the equation 


-1(22 13\_ (6 21 
# Ga = (s t) 


(this means entry-by-entry congruence mod 26), we eliminate all but 2 
possibilities, namely, 


1 0 11 
A= (4 i or é i) 


-1_ (15 4 15 17 
ie & i) me Gs 15)’ 
Attempting to decipher with the first matrix yields “GIVEGHEMHP,” 
which must be wrong. Deciphering with the second matrix 


-1_ (15 17 
Bis & is) 

leads to “GIVETHEMUP.” So that must be correct. Although a certain 
amount of trial and error is involved, it’s better than running through all 
157,248 possibilities for a deciphering matrix A~1 € M2(Z/26Z)* 

Remark. In Example 7 it would perhaps be more efficient to adjust the 
entries in A by multiples of 13 so that they become divisible by 2, i.e., 
to define A; by writing: 


ie., 


At= cs 3 +13A). 


Then one can obtain information on A; by working modulo 2, since we now 
have A,C = P mod 2. 

Affine enciphering transformations. A more general way to encipher a 
digraph-vector P = (§) is to apply a 2 x 2-matrix A = (¢ ®) € M2(Z/NZ) 
and then add a constant vector B = (5): 


C=AP+B, 


(e)= (5 a) (3)+ (7) = (Stas): 


This is called an “affine” map, and is analogous to the enciphering function 
C =aP +b that we studied in §1 when we were using single-letter message 
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units. Of course, as before, we are using “=” to mean the corresponding 
entries are congruent mod N. 

The inverse transformation that expresses P in terms of C' can be found 
by subtracting B from both sides and then applying A~! to both sides: 


P=A7!C—A7'!B. 


This is also an affine transformation P = A’C + B! where A’ = A~! and 
B' = —A“'B. Notice that we must assume that A is an invertible matrix 
in order to be able to decipher uniquely. 

Suppose we know that our adversary is using an affine enciphering 
transformation of digraph-vectors with an N-letter alphabet. To determine 
A and B (or to determine A’ = A~! and B’ = —A~'B), we need at least 
three digraph pairs. Suppose we know that the ciphertext digraphs C1, C2, 
C3 correspond to the plaintext digraphs P;, P2, P3: 


P= A'C, +B’ 
Ph = A'C2 +B’ 
P3 = A'C3 + B’. 


To find A’ and B’ we can proceed as follows. Subtract the last equation 
from the first two, and then make a 2 x 2-matrix P from the two columns 
P, —P3 and P2—P3 and a 2 x 2-matrix C' from the two columns C; —C3 and 
C2 — C3. We obtain the matrix equation P = A’C, which can be solved for 
A’ (provided that C is invertible) as we did in the case of linear enciphering 
transformations. Finally, once we find A’ = A~} we can determine B’ from 
any of the above three equations, e.g., B’ = P, — A’C. 


Exercises 


1. Use frequency analysis to decrypt the following message, which was 
encoded in the 26-letter alphabet using a Vigenére cipher with a 3- 
letter key-word. Do this in the following way. To find the first letter of 
the key-word, work with the sequence consisting of every third letter 
starting with the first. Do not assume that the most frequently oc- 
curring letter is necessarily the ciphertext for “E”. List the four most 
frequently occurring letters, and try out the possibility that each one 
in turn is the encryption of “E”. If one of the other three frequently 
occurring letters would then have to be the encryption, say, of “Z” 
or “Q”, then you know that you made a wrong choice for “E”. By 
an elimination process, find the letter that must be “E” and then the 
key-word letter which produces that translation. In this way find the 
key-word and decipher the message: 
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AWYVPQCTBLWYLPASQJWUPGBUSHFACELDLLDLWLBWAFAHS 
EBYJXXACELWCJTQMARKDDLWCSXBUDLKDPLXSEQCJTNWPR 
WSRGBCLWPGJEZIFWIMJDLLDAGCQMAYLTGLPPJXTWSGFRM 
VTLGUYUXJAIGWHCPXQLTBXDPVTAGSGFVRZTWTGMMVFLXR 
LDKWPRLWCSXPHDPLPKSHQGULMBZWGQAPQCTBAURZTWSHQ 
MBCVXAGJJVGCSSGLIFWNQSXBFDGSHIWSFGLRZTWEPLSVC 
VIFWNQSXBOWCFHMETRZXLYPPJXTWSGFRMVTRZTWHWMFTB 
OPQZXLYIMFPLVWYVIFWDPAVGFPJETQKPEWGCSSRGIFWB 


2. Find the inverses of the following matrices mod N. Write the entries 
in the inverse matrix as nonnegative integers less than N. 


@ ({ ) mod5 — (b) ( 3) mod 29 o(? - mod 26 


4 3 4 9 
40 0 197 62 
(d) ( 0 mi) mod 841 (e) ( 603 m) mod 841 


In Exercises 3—5, find all solutions () modulo N, writing x and y as 
nonnegative integers less than N. 


ss (a) x+4y =1 mod 9 (b) z+4y=1mod9 
52 + 7y = 1 mod 9 5x + 8y = 1 mod 9 
(c) xz+4y=1 mod 9 (4) xz +4y = 0 mod 9 
5z + 8y = 2 mod 9 5z + 8y = 0 mod 9 
- (a) 17x + lly =7 mod 29 (b) 17x + 1ly = 0 mod 29 
132 + 10y = 8 mod 29 132 + 10y = 0 mod 29 
(c) 9x + 20y = 0 mod 29 (a) 9x + 20y = 10 mod 29 
16x + 13y = 0 mod 29 16x + 13y = 21 mod 29 
92 + 20y = 1 mod 29 
(©) 160 + 13y = 2 mod 29 
5. 


480z + 971y = 416 mod 1111 
2972 + 398y = 319 mod 1111 
(c) 4802 + 971ly = 0 mod 1111 (a) 480z + 97ly = 0 mod 1111 
2972 + 398y = 0 mod 1111 298c + 398y = 0 mod 1111 
480z + 971y = 648 mod 1111 
(©) ooge + 398y = 1004 mod 1111 


6. The Fibonacci numbers can be defined by the rule f; = 1, fo = 1, 
fs = 2, fn4i = fn + Jfn-1 for n > 1, or, equivalently, by means of the 
matrix equation 


480z + 971ly = 109 mod 1111 


(a) 2972 + 398y = 906 mod 1111 


(b) 
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Ges fa ) _ G 5) 

f n f n—-1 1 0 

(see Exercise 10 of §1.2). Using the matrix form of the definition, prove 
that f, is even if and only if n is divisible by 3. More generally, prove 
that f, is divisible by a if and only if n is divisible by b for the following 
a and b: (a)a=2, b=3; (b)a=3,b=4;, (c)a=5,b=5; (d) 
a=7,b=8; (e)a=8, b=6; (f)a=11, b=10. 

You intercept the message “SONAFQCHMWPTVEVY) which you 
know resulted from a linear enciphering transformation of digraph- 
vectors, where the sender used the usual 26-letter alphabet A—Z with 
numerical equivalents 0—25, respectively. An earlier statistical anal- 
ysis of a long string of intercepted ciphertext revealed that the most 
frequently occurring ciphertext digraphs were “KH” and “XW” in that 
order. You take a guess that those digraphs correspond to “TH” and 
“HE} respectively, since those are the most frequently occurring di- 
graphs in most long plaintext messages on the subject you think is 
being discussed. Find the deciphering matrix, and read the message. 
You intercept the message “ZRIXXYVBMNPO?} which you know re- 
sulted from a linear enciphering transformation of digraph-vectors in 
a 27-letter alphabet, in which A—Z have numerical equivalents 0—25, 
and blank=26. You have found that the most frequently occurring ci- 
phertext digraphs are “PK” and “RZ? You guess that they correspond 
to the most frequently occurring plaintext digraphs in the 27-letter 
alphabet, namely, “E ” (E followed by blank) and “S .” Find the 
deciphering matrix, and read the message. 

You intercept the message “IIWGVIEX!ZRADRYD?” which was sent 
using a linear enciphering transformation of digraph-vectors in a 29- 
letter alphabet, in which A—Z have numerical equivalents 0—25, 
blank=26, ?=27, !=28. You know that the last five letters of plain- 
text are the sender’s signature “MARIA” 

(a) Find the deciphering matrix, and read the message. 

(b) Find the enciphering matrix, and, impersonating Maria’s friend Jo, 
send the following reply in code: “DAMN FOG! JO? 

In this exercise we are again working with the Cyrillic alphabet (see 
Exercise 12 of the last section). We use a 34-letter alphabet, where in 
addition to the numerical equivalents listed before we have blank=33. 
Suppose that still the two most frequently occurring digraphs in Rus- 
sian are taken to be “HO” and “ET” Meanwhile, we find that in a 
long string of ciphertext the most frequently occurring digraphs are 
“fOT” and “UM” We know that the encryption uses a linear enci- 
phering transformation of digraph-vectors in the 34-letter alphabet. 
Read the intercepted message “CXHC’bUIOHUI3” 

Prove that the product (see Exercise 14 of the last section) of a cryp- 
tosystem with enciphering matrix A, € M2(Z/NZ)* and a cryptosys- 


12. 


13. 


14. 


15. 


16. 
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tem with enciphering matrix Ap € M2(Z/NZ)* is also a linear enci- 
phering transformation. 

In order to increase the difficulty of breaking your cryptosystem, you 
decide to encipher a digraph-vector in the 26-letter alphabet by first 


applying the matrix 
3 11 
4 15)’ 


working modulo 26, and then applying the matrix 


10 15 
5. 9}? 


working modulo 29. (Note that applying two matrices in succession 
while working with the same modulus is equivalent to applying a single 
matrix, as shown in Exercise 11; but if you change modulus the two- 
step encryption is much more complicated.) Thus, while your plaintexts 
are in the 26-letter alphabet, your ciphertexts will be in the 29-letter 
alphabet we used in Exercise 9. 

(a) Encipher the message “SEND” 

(b) Describe how to decipher a ciphertext by applying two matrices in 
succession, and decipher “ZMOY’ 

Prove that if a non-invertible A € M2(Z/NZ) is used to encipher di- 
graph vectors by means of the formula C = AP, then every ciphertext 
one sends can be deciphered as coming from at least two different pos- 
sible plaintexts. 

You intercept the message “S GNLIKD?KOZQLLIOMKUL.VY” (here 
the blank after the S is part of the message). Suppose that a linear 
enciphering transformation C = AP is being used with a 30-letter 
alphabet, in which A—Z have the usual numerical equivalents 0—25, 
blank=26, .=27, ,=28, ?=29. You also know that the last six letters of 
the plaintext are the signature KARLA followed by a period. Find the 
deciphering matrix A! and the full plaintext message. 

You intercept the message “KVW? TA!IKJB?FVR .” (The blanks 
after ? and R are part of the message, but the final . is not.) You know 
that a linear enciphering transformation is being used with a 30-letter 
alphabet, in which A—Z have numerical equivalents 0—25, blank=26, 
?=27, !=28, .=29. You further know that the first six letters of the 
plaintext are “C.I.A.” Find the deciphering matrix A~! and the full 
plaintext message. 

Suppose that N = mn, where g.c.d.(m,n) = 1. Any A € M2(Z/NZ) 
can be considered in Mj(Z/mZ) or Mz(Z/nZ) by simply reducing the 
entries modulo m or n. Let A and A denote the corresponding matrices 
in M2(Z/mZ) and M2(Z/nZ), respectively. 

(a) Prove that the map that takes A to the pair (A, A) is a 1-to-1 cor- 
respondence between M2(Z/NZ) and the set M2(Z/mZ) x Mo(Z/nZ) 
of all pairs of matrices, one modulo m and one modulo n. 
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(b) Prove that the map in part (a) gives a 1-to-1 correspondence be- 
tween the set M2(Z/NZ)* of invertible matrices mod N and the set 
M2(Z/mZ)* x Mo(Z/nZ)* 

17. For pa prime, find the number of elements in M2(Z/pZ)* in two ways, 
and check that your answers agree: 

(a) Count the number of solutions in F, of the equation ad — bc = 0, 

and subtract this from the number of elements in M2(Z/pZ). 

(b) Any A € M2(Z/pZ)* must take (5) and (?) to two linearly inde- 

pendent vectors, i.e., the first can be any nonzero vector, and then the 

second can be any vector not a multiple of the first. Count the number 
of possibilities. 

18. Prove that a matrix in M2(Z/p%Z) is invertible if and only if its re- 
duction mod p in M2(Z/pZ) is invertible. Then find the number of 
elements in M2(Z/p%Z)* 

19. Using Exercises 16-18, find a formula for the number of elements in 
M2(Z/NZ)* Call this number y2(NV). Recall the formula for the num- 
ber y(N) of elements in (Z/NZ)*: o(N) = NI], ,.(1- a) Write your 
formula for y2(N) in a similar form. How many possible 2 x 2 enci- 
phering matrices A are there when N = 26, 29, 30? 

20. Let y(.N) denote the number of invertible k x k—-matrices with entries 
in Z/NZ. Guess a formula for :p;,(N). This formula is not hard to prove 
by the method in Exercise 16(b). 

Remark. The approach in Exercises 16-20 is typical of many proofs 
and computations modulo N. Using a multiplicativity property, one first 
reduces to the case of a prime power. Then, using a “lifting argument” (see 
Exercise 20 of § 11.2 for another example of this), one reduces to the case of 
a prime, i.e., we can then work in a field F,. Once we are working with a 
field, we can more easily use our geometric intuition, as in Exercise 17(b) 
above. All of linear algebra that we first learn over the real numbers goes 
through word-for-word over any field. For example, a congruence of the 
form ax + by = c mod p can be depicted by a “line” in the “plane” over the 
field F,; a second such congruence will either meet the first line in a single 
point, be parallel to the first line, or else coincide with the first line. In the 
case of congruences with a composite modulus N, on the other hand, there 
are other possibilities, which occur when the determinant of the coefficient 
matrix has a nontrivial common factor with N. 

21. How many possible affine enciphering transformations are there for 
digraphs in an N-letter alphabet? How many are there when N = 26, 
29, 30? 

22. Suppose that you want to find a deciphering matrix A~! € M2(Z/NZ)* 
from the equation P = A~!C, where P and C are made up from 
two known pairs of plaintext-ciphertext digraphs. Suppose that g.c.d. 
(det(C), N) = p, where p is a prime dividing N only to the first power. 
Let n = N/p. 

(a) Find the number of possibilities for A~} you will be left with after 


23. 


24. 


25. 
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solving the congruence P = A~!C mod n and after taking into account 
that pj det(A-?). 

(b) Suppose that p does not divide all of the entries in C’. Describe how 
to use the congruence P = A~!C mod p to further reduce the number 
of possibilities for A~! How many possibilities are you now left with? 
Example 8 and Exercise 15 illustrate this in the case p = 2. 

You want to find a 2 x 2 enciphering matrix A modulo 30. You have 
two plaintext /ciphertext digraph pairs (in a 30-letter alphabet), which 
enables you to write AP = C mod 30, where 


(3 3 _(17 8 
p=(5 : o=(% m) 


(a) Working modulo 10, write A in the form A = Ap + 10A; mod 30, 
where A, is an unknown matrix modulo 3 (whose entries are 0, 1 or 2) 
and Apo is a matrix you know from your mod 10 computations. Choose 
Ao so that all of its entries are between 0 and 29 and are divisible by 
3. 
(b) Working modulo 3, find the second column of the matrix Aj. 
(c) How many possibilities are there for the original matrix A? List 
them all. 
Let 

A= CG 4 € M,(Z/NZ)* 

c d 

be the matrix of a linear enciphering transformation of digraphs in an 
N-letter alphabet. By a fixed digraph of A we mean a digraph vector P 
whose corresponding ciphertext vector C is the same as P, i.e., AP = 
P. In this problem we suppose that A is not the identity matrix. (After 
all, there’s no point in considering the enciphering transformation that 
doesn’t even make a half-hearted attempt to disguise anything.) 
(a) Show that the digraph “AA”= (9) is always fixed, and find a con- 


dition on 
a b 
c d 


which is equivalent to “AA” being the only fixed digraph. 

(b) If N is a prime number and if “AA” is not the only fixed digraph, 
prove that there are exactly N fixed digraphs. 

You intercept the message 


“WUXHURWZNQR XVUEXU!JHALGQGJ?; 


which you know was encoded using an affine transformation of vectors 
(5) in an 841-letter alphabet. Here the numerical equivalent of a di- 
graph is the number x = 292; + x2, where 21 is the number of the first 
letter and x2 is the number of the second letter in the digraph (the 29 
letters are numbered as in Exercise 9). Thus, each block of four letters 
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27. 


28. 
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gives a column (7): the first two letters give the integer z and the next 
two letters give y. You also know that the last 12 letters of the above 
ciphertext correspond to the signature “HEADQUARTERS” 

(a) Find the deciphering transformation and read the message. 

(b) Find the enciphering transformation and make a coded message 
that inpersonates headquarters and says “CANCEL LAST ORDER!” 
followed by two blanks and the signature “HEADQUARTERS” 

How many possible affine enciphering transformations are there in the 
situation of Exercise 25 (with an 841-letter digraph alphabet)? 

How many possible affine enciphering transformations are there for tri- 
graphs (3-component vectors) in a 26-letter alphabet? 

You intercept the message 


“FBRTLWUGAJQINZTHHXTEPHBNXSW,” 


which you know was encoded using a linear enciphering transformation 
of trigraphs in the 26-letter alphabet A—Z with numerical equivalents 
0—25. You also know that the last three trigraphs are the sender’s 
signature “JAMESBOND.” Find the deciphering matrix and read the 
message. 
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IV 
Public Key 


1 The idea of public key cryptography 


Recall that a cryptosystem consists of a 1-to-1 enciphering transformation f 
from a set P of all possible plaintext message units to a set C of all possible 
ciphertext message units. Actually, the term “cryptosystem” is more often 
used to refer to a whole family of such transformations, each corresponding 
to a choice of parameters (the sets P and C, as well as the map f, may 
depend upon the values of the parameters). For example, for a fixed N- 
letter alphabet (with numerical equivalents also fixed once and for all), 
we might consider the affine cryptosystem (or “family of cryptosystems” ) 
which for each a € (Z/NZ)* and b € Z/NZ is the map from P = Z/NZ 
to C = Z/NZ defined by C = aP + b mod N. In this example, the sets P 
and C are fixed (because N is fixed), but the enciphering transformation f 
depends upon the choice of parameters a, b. The enciphering transformation 
can then be described by (i) an algorithm, which is the same for the whole 
family, and (ii) the values of the parameters. The values of the parameters 
are called the enciphering key Kx. In our example, Kg is the pair (a, 6). 
In practice, we shall suppose that the algorithm is publicly known, i.e., the 
general procedure used to encipher cannot be kept secret. However, the 
keys can easily be changed periodically and, if one wants, kept secret. 
One also needs an algorithm and a key in order to decipher, i.e., com- 
pute f—1 The key is called the deciphering key Kp. In our example of the 
affine cryptosystem family, deciphering is also accomplished by an affine 
map, namely P = a~!C — a~!b mod N, and so the deciphering transfor- 
mation uses the same algorithm as the enciphering transformation, except 


84 IV. Public Key 

with a different key, namely, the pair (a~1 —a~1b). (In some cryptosys- 
tems, the deciphering algorithm, as well as the key, is different from the 
enciphering algorithm.) We shall always suppose that the deciphering and 
enciphering algorithms are publicly known, and that it is the keys Kg and 
Kp which can be concealed. 

Let us suppose that someone wishes to communicate secretly using 
the above affine cryptosystem C = aP + b. We saw in §III.1 that it is not 
hard to break the system if one uses single-letter message units in an N- 
letter alphabet. It is a little more difficult to break the system if one uses 
digraphs, which can be regarded as symbols in an N?-letter alphabet. It 
would be safer to use blocks of k letters, which have numerical equivalents 
in Z/N*Z. At least for k > 3 it is not easy to use frequency analysis, 
since the number of possible k-letter blocks is very large, and one will find 
many that are close contenders for the title of most frequently occurring 
k-graph. If we want to increase k, we must be concerned about the length 
of time it takes to do various arithmetic tasks (the most important one 
being finding a~! by the Euclidean algorithm) involved in setting up our 
keys and carrying out the necessary transformations every time we send a 
message or our friend at the other end deciphers a message from us. That 
is, it is useful to have big-O estimates for the order of magnitude of time 
(as the parameters increase, i.e., as the cryptosystem becomes “larger” ) 
that it takes to: encipher (knowing Kg), decipher (knowing Kp), or break 
the code by enciphering without knowledge of Kg or deciphering without 
knowledge of Kp. 

In all of the examples in Chapter III — and in all of the cryptosystems 
used historically until about fifteen years ago — it is not really necessary 
to specify the deciphering key once the enciphering key (and the general 
algorithms) are known. Even if we are working with large numbers — such 
as N* with k fairly large — it is possible to determine the deciphering 
key from the enciphering key using an order of magnitude of time which is 
roughly the same as that needed to implement the various algorithms. For 
example, in the case of an affine enciphering transformation of Z/N*Z, once 
we know the enciphering key Kg = (a,b) we can compute the deciphering 
key Kp = (a! mod N*, —a~b mod N*) by the Euclidean algorithm in 
O(log?(N*)) bit operations. 

Thus, with a traditional cryptosystem anyone who knew enough to 
decipher messages could, with little or no extra effort, determine the enci- 
phering key. Indeed, it was considered naive or foolish to think that someone 
who had broken a cipher might nevertheless not know the enciphering key. 
We see this in the following passage from the autobiography of a well-known 
historical personality: 


Five or six weeks later, she [Madame d’Urfé] asked me if I 
had deciphered the manuscript which had ie transmutation pro- 
cedure. I told her that I had. 
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“Without the key, sir, excuse me if I believe the thing impos- 
sible.” 

“Do you wish me to name your key, madame?” 

“If you please.” 

I then told her the key-word, which belonged to no language, 
and I saw her surprise. She told me that it was impossible, for she 
believed herself the only possessor of that word which she kept in 
her memory and which she had never written down. 

I could have told her the truth — that the same calculation 
which had served me for deciphering the manuscript had enabled 
me to learn the word — but on a caprice it struck me to tell her 
that a genie had revealed it to me. This false disclosure fettered 
Madame d’Urfé to me. That day I became the master of her soul, 
and I abused my power. Every time I think of it, I am distressed 
and ashamed, and I do penance now in the obligation under which 
I place myself of telling the truth in writing my memoirs. 


— Casanova, 1757, quoted in D. Kahn’s The Codebreakers 


The situation persisted for another 220 years after this encounter be- 
tween Casanova and Madame d’Urfé: knowledge of how to encipher and 
knowledge of how to decipher were regarded as essentially equivalent in 
any cryptosystem. However, in 1976 W. Diffie and M. Hellman discovered 
an entirely different type of cryptosystem and invented “public key cryp- 
tography.” 

By definition, a public key cryptosystem has the property that someone 
who knows only how to encipher cannot use the enciphering key to find 
the deciphering key without a prohibitively lengthy computation. In other 
words the enciphering function f:P —> C is easy to compute once the 
enciphering key Kg is known, but it is very hard in practice to compute 
the inverse function f~!:C —+ P. That is, from the standpoint of realistic 
computability, the function f is not invertible (without some additional 
information — the deciphering key Kp). Such a function f is called a 
trapdoor function. That is, a trapdoor function f is a function which is 
easy to compute but whose inverse f~! is hard to compute without having 
some additional auxiliary information beyond what is necessary to compute 
f. The inverse f~1 is easy to compute, however, for someone who has this 
information Kp (the “deciphering key”). 

There is a closely related concept of a one-way function. This is a 
function f which is easy to compute but for which f~! is hard to compute 
and cannot be made easy to compute even by acquiring some additional 
information. While the notion of a trapdoor function apparently appeared 
for the first time in 1978 along with the invention of the RSA public-key 
cryptosystem, the notion of a one-way function is somewhat older. What 
seems to have been the first use of one-way functions for cryptography was 
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described in Wilkes’ book about time-sharing systems that was published in 
1968. The author describes a new one-way cipher used by R. M. Needham 
in order to make it possible for a computer to verify passwords without 
storing information that could be used by an intruder to impersonate a 
legitimate user. 


In Needham’s system, when the user first sets his password, 
or whenever he changes it, it is immediately subjected to the enci- 
phering process, and it is the enciphered form that is stored in the 
computer. Whenever the password is typed in response to a de- 
mand from the superviscr for the user’s identity to be established, 
it is again enciphered and the result compared with the stored 
version. It would be of no immediate use to a would-be malefac- 
tor to obtain a copy of the list of enciphered passwords, since he 
would have to decipher them before he could use them. For this 
purpose, he would need access to a computer and even if full de- 
tails of the enciphering algorithm were available, the deciphering 
process would take a long time. 


In 1974, G. Purdy published the first detailed description of such a 
one-way function. The original passwords and their enciphered forms are 
regarded as integers modulo a large prime p, and the “one-way” map F, —> 
F, is given by a polynomial f(z) which is not hard to evaluate by computer 
but which takes an unreasonably long time to invert. Purdy used p = 
264 59, f(x) = 22°17 + ayx?”*+3 + aga + aga? + age + a5, where the 
coefficients a; were arbitrary 19-digit integers. 

The above definitions of a public key cryptosystem and a one-way or 
trapdoor function are not precise from a rigorous mathematical standpoint. 
The notion of “realistic computability” plays a basic role. But that is an 
empirical concept that is affected by advances in computer technology (e.g., 
parallel processor techniques) and the discovery of new algorithms which 
speed up the performance of arithmetic tasks (sometimes by a large factor). 
Thus, it is possible that an enciphering transformation that can safely be 
regarded as a one-way or trapdoor function in 1994 might lose its one-way 
or trapdoor status in 2004 or in the year 2994. 

It is conceivable that some transformation could be proved to be trap- 
door. That is, there could be a theorem that provides a nontrivial lower 
bound for the number of bit operations that would be required (“on the 
average,” i.e., for random values of the key parameters) in order to figure 
out and implement a deciphering algorithm without the deciphering key. 
Here one would have to allow the possibility of examining a large number of 
corresponding plaintext-ciphertext message units (as in our frequency anal- 
ysis of the simple systems in Chapter III), because, by the definition of a 
public key system, any user can generate an arbitrary number of plaintext- 
ciphertext pairs. One would also have to allow the use of “probabilistic” 
methods which, while not guaranteed to break the code at once, would be 
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likely to work if repeated many times. (Examples of probabilistic algorithms 
will be given in the next chapter.) Unfortunately, no such theorems have 
been proved for any of the functions that have been used as enciphering 
maps. Thus, while there are now many cryptosystems which empirically 
seem to earn the right to be called “public key,” there is no cryptosystem 
in existence which is provably public key. 

The reason for the name “public key” is that the information needed 
to send secret messages — the enciphering key Kg — can be made public 
information without enabling anyone to read the secret messages. That is, 
suppose we have some population of users of the cryptosystem, each one of 
whom wants to be able to receive confidential communications from any of 
the other users without a third party (either another user or an outsider) 
being able to decipher the message. Some central office can collect the 
enciphering key Kg,4 from each user A and publish all of the keys in a 
“telephone book” having the form 


AAA Banking Company (9974398087453939, 2975290017591012) 
Aardvark, Aaron (8870004228331, 7234752637937) 


Someone wanting to send a message merely has to look up the enciphering 
key in this “telephone book” and then use the general enciphering algorithm 
with the key parameters corresponding to the intended recipient. Only the 
intended recipient has the matching deciphering key needed to read the 
message. 


In earlier ages this type of system would not have seemed to have 
any particularly striking advantages. Traditionally, cryptography was used 
mainly for military and diplomatic purposes. Usually there was a small, 
well-defined group of users who could all share a system of keys, and new 
keys could be distributed periodically (using couriers) so as to keep the 
enemy guessing. 

However, in recent years the actual and potential applications of cryp- 
tography have expanded to include many other areas where communication 
systems play a vital role — collecting and keeping records of confidential 
data, electronic financial transactions, and so on. Often one has a large 
network of users, any two of whom should be able to keep their commu- 
nications secret from all other users as well as intruders from outside the 
network. Two parties may share a secret communication on one occasion, 
and then a little later one of them may want to send a confidential message 
to a third party. That is, the “alliances” — who is sharing a secret with 
whom — may be continually shifting. It might be impractical always to be 
exchanging keys with all possible confidential correspondents. 

Notice that with a public key system it is possible for two parties to 
initiate secret communications without ever having had any prior contact, 
without having established any prior trust for one another, without ex- 
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changing any preliminary information. All of the information necessary to 
send an enciphered message is publicly available. 

Classical vesus public key. By a classical cryptosystem (also called 
a private key cryptosystem or a symmetrical cryptosystem), we mean a 
cryptosystem in which, once the enciphering information is known, the 
deciphering transformation can be implemented in approximately the same 
order of magnitude of time as the enciphering transformation. All of the 
cryptosystems in Chapter III are classical. Occasionally, it takes a little 
longer for the deciphering — because one needs to apply the Euclidean 
algorithm to find an inverse modulo N or one must invert a matrix (and 
this can take a fairly long time if we work with k x k -matrices for k larger 
than 2) — nevertheless, the additional time required is not prohibitive. 
(Moreover, usually the additional time is required only once — to find Kp 
— after which it takes no longer to decipher than to encipher.) For example, 
we might need only O(log?B) to encipher a message unit, and O(log*B) 
bit operations to decipher one by finding Kp from Kg, where B is a bound 
on the size of the key parameters. Notice the role of big-O estimates here. 

If, on the other hand, the enciphering time were polynomial in log B 
and the deciphering time (based on knowledge of Kr but not K:) were, 
say, polynomial in B but not in log B, then we would have a public key 
rather than a classical cryptosystem. 

Authentication. Often, one of the most important parts of a message 
is the signature. A person’s signature — hopefully, written with an idiosyn- 
cratic flourish of the pen which is hard to duplicate — lets the recipient 
know that the message really is from the person whose name is typed be- 
low. If the message is particularly important, it might be necessary to use 
additional methods to authenticate the communication. And in electronic 
communication, where one does not have a physical signature, one has to 
rely entirely on other methods. For example, when an officer of a corporation 
wants to withdraw money from the corporate account by telephone, he/she 
is often asked to give some personal information (e.g., mother’s maiden 
name) which the corporate officer knows and the bank knows (from data 
submitted when the account was opened) but which an imposter would not 
be likely to know. 

In public key cryptography there is an especially easy way to identify 
oneself in such a way that no one could be simply pretending to be you. Let 
A (Alice) and B (Bob) be two users of the system. Let f4 be the enciphering 
transformation with which any user of the system sends a message to Alice, 
and let fg be the same for Bob. For simplicity, we shall assume that the 
set P of all possible plaintext message units and the set C of all possible 
ciphertext message units are equal, and are the same for all users. Let 
P be Alice’s “signature” (perhaps including an identification number, a 
statement of the time the message was sent, etc.). It would not be enough 
for Alice to send Bob the encoded message fg(P), since everyone knows how 
to do that, so there would be no way of knowing that the signature was not 
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forged. Rather, at the beginning (or end) of the message Alice transmits 
fe fal(P). Then, when Bob deciphers the whole message, including this 
part, by applying f, | he finds that everything has become plaintext except 
for a small section of jibberish, which is f,'(P). Since Bob knows that the 
message is claimed to be from Alice, he applies f4 (which he knows, since 
Alice’s enciphering key is public), and obtains P. Since no one other than 
Alice could have applied the function ia which is inverted by f4, he knows 
that the message was from Alice. 

Hash functions. A common way to sign a document is with the help of 
a hash function. Roughly speaking, a hash function is an easily computable 
map f : z+ h from a very long input x to a much shorter output h 
(for example, from strings of about 10° bits to strings of 150 or 200 bits) 
that has the following property: it is not computationally feasible to find 
two different inputs x and x’ such that f(z’) = f(x). If part of Alice’s 
“signature” consists of the hash value h = f(x), where z is the entire text 
of her message, then Bob can verify not only that the message was really 
sent by Alice, but also that it wasn’t tampered with during transmission. 
Namely, Bob applies the hash function f to his deciphered plaintext from 
Alice, and checks that the result agrees with the value h in Alice’s signature. 
By assumption, no tamperer would have been able to change x without 
changing the value h = f(z). 

Key exchange. In practice, the public key cryptosystems for sending 
messages tend to be slower to implement than the classical systems that are 
in current use. The number of plaintext message units per second that can 
be transmitted is less. However, even if a network of users feels attached 
to the traditional type of cryptosystem, they may want to use a public 
key cryptosystem in an auxiliary capacity to send one another their keys 
K = (Kg, Kp) for the classical system. Thus, the ground rules for the 
classical cryptosystem can be agreed upon, and keys can be periodically 
exchanged, using the slower public key cryptography; while the large volume 
of messages would then be sent by the faster, older methods. 

Probabilistic Encryption. Most of the number theory based cryptosys- 
tems for message transmission are deterministic, in the sense that a given 
plaintext will always be encrypted into the same ciphertext any time it is 
sent. However, deterministic encryption has two disadvantages: (1) if an 
eavesdropper knows that the plaintext message belongs to a small set (for 
example, the message is either “yes” or “no”), then she can simply en- 
crypt all possibilities in order to determine which is the supposedly secret 
message; and (2) it seems to be very difficult to prove anything about the 
security of a system if the encryption is deterministic. For these reasons, 
probabilistic encryption was introduced. We will not discuss this further or 
give examples in this book. For more information, see the fundamental pa- 
pers on the subject by Goldwasser and Micali (Proc. 14th ACM Symp. The- 
ory of Computing, 1982, 365-377, and J. Comput. System Sci. 28 (1984), 
270-299). 
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1. Suppose that m users want to be able to communicate with one an- 
other using a classical cryptosystem. Each user insists on being able to 
communicate with each other user without the remaining m — 2 users 
eavesdropping. How many keys K = (Kg, Kp) must be developed? 
How many keys are needed if they are using a public key cryptosystem? 
How many keys are needed for each type of cryptosystem if m = 1000? 

2. Suppose that a network of investors and stockbrokers is using public 
key cryptography. The investors fear that their stockbrokers will buy 
stock without authorization (in order to receive the commission) and 
then, when the investor’s money is lost, claim that they had received 
instructions (producing as evidence an enciphered message to buy the 
stock, claiming that it came from the investor). The stockbrokers, on 
the other hand, fear that in cases when they buy according to the 
investor’s instructions and the stock loses money, the investor will claim 
that he never sent the instruction, and that it was sent by an imposter 
or by the stockbroker himself. Explain how this problem can be solved 
by public key cryptography, so that when all of these sleazy people end 
up in court suing one another, there is proof of who is to blame for 
the reckless investing and consequent loss of money. (Suppose that, in 
the case of a lawsuit between investor A and stockbroker B, the judge 
is given all of the relevant enciphering/deciphering information — the 
keys K4 = (Kea, Kp,a) and Kg = (Kg,z, Kp,g) and the software 
necessary to encipher and decipher.) 

3. Suppose that two countries A and B want to reach an agreement to ban 
underground nuclear tests. Neither country trusts the other, in both 
cases for good reason. Nevertheless, they must agree on a system of ver- 
ification devices to be implanted at various locations on the territory of 
the two countries. Each verification device consists of a sophisticated 
seismograph, a small computer for interpreting the seismograph read- 
ing and generating a message, and a radio transmitter. Explain how 
public key cryptography can be used to enable all of the following (at 
first glance seemingly contradictory) conditions to be met: 

a. Country A insists on knowing the plaintext content of all messages 
emanating from its territory, in order to be sure that the devices are 
not used in coordination with espionage activities by Country B. 

b. Country B insists that Country A cannot fabricate a message from 
the devices which broadcast from its territory (i.e., a message saying 
that everything’s OK, when in fact the seismograph has detected a 
treaty violation). 

c. Country A insists that, if Country B falsely claims to have received 
notification from the device of a treaty violation, then any interested 
third country will be able to determine that, in fact, no such message 
was sent. 
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d. Same as conditions a-c with the roles of the two countries reversed. 
e. The verification devices in both countries. must be identical, and 
must be constructed jointly by scientists from both countries. 

The purpose of this problem is to construct a long-distance coin flip 
using any two-to-one trapdoor function. For example, suppose that 
two chess players at distant parts of the world are playing chess by 
mail or telephone and want a fair way to determine who plays white. 
Or suppose that when making preparations for an international ice— 
hockey match, representatives of the two teams decide to flip a coin 
to see which country hosts the match, without having to arrange a 
meeting (or trust a third party) to “flip the coin.” 

By a system of two-to-one trapdoor functions, we mean an algorithm 
which, given a key Kg of a suitable type, constructs a function f:P —> 
C such that every element c in the image of f has exactly two preimages 
Pi, Pe € P such that f(p;) = c; and an algorithm which, given a key 
Kp which “reverses Kg,” can find both preimages of any c in the image 
of f. Here we assume that it is computationally infeasible to find Kp 
knowing only Kg. Given an element p; € P, notice that one can find 
the other element p2 having the same image if one knows both Kg and 
Kp (namely, find both inverses of f(pi)); but we assume that, knowing 
only Kg, one cannot feasibly compute the companion element po for 
any p; at all. 

Suppose that Player A (Aniuta) and Player B (Bjorn) want to use 
this set-up to flip a coin. Aniuta generates a pair of keys Kg and Kp 
and sends Kg (but not Kp) to Bjorn. Explain a procedure that has a 
50%-50% chance of each player “winning” (give a suitable definition 
of “winning” ), and that has adequate safeguards against cheating. 
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2 RSA 


In looking for a trapdoor function f to use for a public key cryptosystem, 
one wants to use an idea which is fairly simple conceptually and lends itself 
to easy implementation. On the other hand, one wants to have very strong 
empirical evidence — based on a long history of attempts to find algorithms 
for f~! — that decryption cannot feasibly be accomplished without know]- 
edge of the secret deciphering key. For this reason it is natural to look at an 
ancient problem of number theory: the problem of finding the complete fac- 
torization of a large composite integer whose prime factors are not known 
in advance. The success of the so-called “RSA” cryptosystem (from the last 
names of the inventors Rivest, Shamir, and Adleman), which is one of the 
oldest (16 years old) and most popular public key cryptosystems, is based 
on the tremendous difficulty of factoring. 

We now describe how RSA works. Each user first chooses two extremely 
large prime numbers p and q (say, of about 100 decimal digits each), and 
sets n = pq. Knowing the factorization of n, it is easy to compute y(n) = 
(p—1)(q—1) =n+1-p-—gq. Next, the user randomly chooses an integer 
e between 1 and y(n) which is prime to y(n). 

Remark. Whenever we say “random” we mean that the number was 
chosen with the help of a random-number generator (or “pseudo-random” 
number generator), i.e., a computer program that generates a sequence of 
digits in a way that no one could duplicate or predict, and which is likely 
to have all of the statistical properties of a truly random sequence. A lot 
has been written concerning efficient and secure ways to generate random 
numbers, but we shall not concern ourselves with this question here. In 
the RSA cryptosystem we need a random number generator not only to 
choose e, but also to choose the large primes p and q (so that no one 
could guess our choices by looking at tables of special types of primes, for 
example, Mersenne primes or factors of b* + 1 for small b and relatively 
small k). What does a “randomly generated” prime number mean? Well, 
first generate a large random integer m. If m is even, replace m by m + 1. 
Then apply suitable primality tests to see if the odd number m is prime 
(primality tests will be examined systematically in the next chapter). If m 
is not prime, try m+2, then m+4, and so on, until you reach the first prime 
number > m, which is what you take as your “random” prime. According 
to the Prime Number Theorem (for the statement see Exercise 13 of §1.1), 
the frequency of primes among the numbers near m is about 1/log(m), so 
you can expect to test O(logm) numbers for primality before reaching the 
first. prime > m. 
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Similarly, the “random” number e prime to y(n) can be chosen by first 
generating a random (odd) integer with an appropriate number of bits, and 
then successively incrementing it until one finds an e with g.c.d.(e, y(n)) = 
1. (Alternately, one can perform primality tests until one finds a prime 
e, say between maz(p, q) and y(n); such a prime must necessarily satisfy 
g.c.d.(e, p(n)) = 1.) 

Thus, each user A chooses two primes p,4 and g4 and a random number 
ea which has no common factor with (pa — 1)(q4 — 1). Next, A computes 
NA = PAgA, (na) = N4+1—pa,— a, and also the multiplicative inverse of 
ea modulo y(na): da =e, mod y(n). She makes public the enciphering 


key Kg, = (na, ea) and conceals the deciphering key Kp,4 = (na, da). 
The enciphering transformation is the map from Z/n,Z to itself given by 
f(P) = P®4 mod na. The deciphering transformation is the map from 
Z/naZ to itself given by f-!(C) = C*4 mod ng. It is not hard to see that 
these two maps are inverse to one another, because of our choice of d4. 
Namely, performing f followed by f—! or f~1 followed by f means raising 
to the d4e,-th power. But, because d4e, leaves a remainder of 1 when 
divided by y(n), this is the same as raising to the l-st power (see the 
corollary of Proposition 1.3.5, which gives this in the case when P has no 
common factor with n4; if g.c.d.(P,n,4) > 1, see Exercise 6 below). 

From the description in the last paragraph, it seems that we are work- 
ing with sets P = C of plaintext and ciphertext message units that vary 
from one user to another. In practice, we would probably want to choose 
P and C uniformly throughout the system. For example, suppose we are 
working in an N-letter alphabet. Then let k < £ be suitably chosen positive 
integers, such that, for example, N* and N have approximately 200 dec- 
imal digits. We take as our plaintext message units all blocks of k letters, 
which we regard as k-digit base-N integers, i.e., we assign them numerical 
equivalents between 0 and N* We similarly take ciphertext message units to 
be blocks of @ letters in our N-letter alphabet. Then each user must choose 
his/her large primes p, and qa so that n4 = paqa Satisfies N* <n, < Né 
Then any plaintext message unit, i.e., integer less than N* corresponds to 
an element in Z/n,4Z (for any user’s n4); and, since ng < N‘ the image 
f(P) € Z/naZ can be uniquely written as an é-letter block. (Not all letter 
blocks can arise — only those corresponding to integers less than n, for 
the particular user’s n4.) 

Example 1. For the benefit of a reader who doesn’t have a computer 
handy (or does not have good multiple precision software), we shall sac- 
rifice realism and choose most of our examples so as to involve relatively 
small integers. Choose N = 26, k = 3, = 4. That is, the plaintext con- 
sists of trigraphs and the ciphertext consists of four-graphs in the usual 
26-letter alphabet. To send the message “YES” to a user A with enci- 
phering key (n4,e4) = (46927, 39423), we first find the numerical equiva- 
lent of “YES,” namely: 24 - 26? + 4-26 + 18 = 16346, and then compute 
1634639423 mod 46927, which is 21166 = 1-26° +5-267+8-26+2 =“BFIC.” 
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The recipient A knows the deciphering key (n4,d4) = (46927, 26767), 
and so computes 21166767®? mod 46927 = 16346 =“YES.” How did user 
A generate her keys? First, she multiplied the primes pa = 281 and 
qa = 167 to get na; then she chose eg at random (but subject to the 
condition that g.c.d.(e4,280) = g.c.d.(e4,166) = 1). Then she found 
da = ey: mod 280 - 166. The numbers pa, qa, da remain secret. 

In Example 1, how cumbersome are the computations? The most time- 
consuming step is modular exponentiation, e.g., 1634699473 mod 46927. But 
this can be done by the repeated squaring method (see §1.3) in O(k?) bit 
operations, where k is the number of bits in our integers. Actually, if we were 
working with much larger integers, potentially the most time-consuming 
step would be for each user A to find two very large primes p, and qa. In 
order to quickly choose suitable very large primes, one must use an efficient 
primality test. Such tests will be described in the next chapter. 

Remarks. 1. In choosing p and q, user A should take care to see 
that certain conditions hold. The most important are: that the two primes 
not be too close together (for example, one should be a few decimal digits 
longer than the other); and that p— 1 and q — 1 have a fairly small g.c.d. 
and both have at least one large prime factor. Some of the reasons for 
these conditions are indicated in the exercises below. Of course, if someone 
discovers a factorization method that works quickly under certain other 
conditions on p and q, then future users of RSA would have to take care to 
avoid those conditions as well. 

2. In §1.3 we saw that, when n is a product of two primes p and gq, 
knowledge of y(n) is equivalent to knowledge of the factorization. Let’s 
suppose now that we manage to break an RSA system by determining a 
positive integer d such that a°¢ = a mod n for all a prime to n. This 
is equivalent to ed — 1 being a multiple of the least common multiple of 
p—1and q-—1. Knowing this integer m = ed — 1 is weaker than actually 
knowing y(n). But we now give a procedure that with a high probability 
is nevertheless able to use the integer m to factor n. 

So suppose we know n — which is a product of two unknown primes 
— and also an integer m such that a™ = 1 mod n for all a prime to 
n. Notice that any such m must be even (as we see by taking a = —1). 
We first check whether m/2 has the same property, in which case we can 
replace m by m/2. If a™/2 is not = 1 mod n for all a prime to n, then we 
must have a™/? # 1 mod n for at least 50% of the a’s in (Z/nZ)* (this 
statement is proved in exactly the same way as part (a) of Exercise 21 in 
§ 11.2). Thus, if we test several dozen randomly chosen a’s and find that 
in all cases a™/? = 1 mod n, then with very high probability we have this 
congruence for all a prime to n, and so may replace m by m/2. We keep 
on doing this until we no longer have the congruence when we take half of 
the exponent. There are now two possibilities: 

(i) m/2 is a multiple of one of the two numbers p — 1, g — 1 (say, p — 1) 

but not both. In this case a”/? is always = 1 mod p but exactly 50% 
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of the time is congruent to —1 rather than +1 modulo gq. 

(ii) m/2 is not a multiple of either p — 1 or q — 1. In this case a™/? is = 1 
modulo both p and g (and hence modulo n) exactly 25% of the time, 
it is = —1 modulo both p and q exactly 25% of the time, and for the 
remaining 50% of the values of a it is = 1 modulo one of the primes 
and = —1 modulo the other prime. 

Thus, by trying a’s at random with high probability we will soon find 
an a for which a’/? — 1 is divisible by one of the two primes (say, p) but not 
the other. (Each randomly selected a has a 50% chance of satisfying this 
statement.) Once we find such an a we can immediately factor n, because 
g.c.d.(n, a™/? —1) =p. 

The above procedure is an example of a probabilistic algorithm. We 
shall encounter other probabilistic algorithms in the next chapter. 

3. How do we send a signature in RSA? When discussing authentica- 
tion in the last section, we assumed for simplicity that P = C. We have 
a slightly more complicated set-up in RSA. Here is one way to avoid the 
problem of different n4’s and different block sizes (k, the number of letters 
in a plaintext message unit, being less than 2, the number of letters in a ci- 
phertext message unit). Suppose that, as in the last section, Alice is sending 
her signature (some plaintext P) to Bob. She knows Bob’s enciphering key 
Kg,p = (ng, ep) and her own deciphering key Kp,4 = (na, da). What she 
does is send fefa'(P) ifn, < np, or else fal fa(P) ifn, > ng. That is, in 
the former case she takes the least positive residue of P?4 modulo nq; then, 
regarding that number modulo ng, she computes (P?4 mod n4)°? mod ng, 
which she sends as a ciphertext message unit. In the case n4 > ng, she 
first computes P®® mod ng and then, working modulo na, she raises this 
to the d4-th power. Clearly, Bob can verify the authenticity of the message 
in the first case by raising to the dg-th power modulo ng and then to the 
ea-th power modulo ny; in the second case he does these two operations 
in the reverse order. 


m/2 


Exercises 


1. Suppose that the following 40-letter alphabet is used for all plaintexts 
and ciphertexts: A—Z with numerical equivalents 0—25, blank=26, 
.=27, ?=28, $=29, the numerals 0—9 with numerical equivalents 30— 
39. Suppose that plaintext message units are digraphs and ciphertext 
message units are trigraphs (i.e., k = 2, £= 3, 40? < ng < 40° for all 
na). 

(a) Send the message “SEND $7500” to a user whose enciphering key 
is (n4,ea) = (2047, 179). 

(b) Break the code by factoring n4 and then computing the deciphering 
key (na, da). 

(c) Explain why, even without factoring n4, a codebreaker could find 
the deciphering key rather quickly. In other words, why (in addition to 
its small size) is 2047 a particularly bad choice for n4? 
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Try to break the code whose enciphering key is (n4,e4) = (536813567, 
3602561). Use a computer to factor n4 by the stupidest known algo- 
rithm, i.e., dividing by all odd numbers 3, 5, 7,.... If you don’t have a 
computer available, try to guess a prime factor of n4 by trying special 
classes of prime numbers. After factoring na, find the deciphering key. 
Then decipher the message BNBPPKZAVQZLBJ, under the assump- 
tion that the plaintext consists of 6-letter blocks in the usual 26-letter 
alphabet (converted to an integer between 0 and 26° — 1 in the usual 
way) and the ciphertext consists of 7-letter blocks in the same alpha- 
bet. It should be clear from this exercise that even a 29-bit choice of 
na is far too small. 

Suppose that both plaintexts and ciphertexts consist of trigraph mes- 
sage units, but while plaintexts are written in the 27-letter alphabet 
(consisting of A—Z and blank=26), ciphertexts are written in the 28- 
letter alphabet obtained by adding the symbol “/” (with numerical 
equivalent 27) to the 27-letter alphabet. We require that each user A 
choose n4 between 273 = 19683 and 28° = 21952, so that a plaintext 
trigraph in the 27-letter alphabet corresponds to a residue P modulo 
na, and then C = P®4 mod ng corresponds to a ciphertext trigraph 
in the 28-letter alphabet. 

(a) If your deciphering key is Kp = (n,d) = (21583, 20787), decipher 
the message “YSNAUOZHXXH ” (one blank at the end). 

(b) If in part (a)you know that y(n) = 21280, find (i)e = d~! mod y(n), 
and (ii) the factorization of n. 

Show why the 35-bit integer 23360947609 is a particularly bad choice 
for n = pq, because the two prime factors are too close to one another; 
that is, show that n can easily be factored by “Fermat factorization” as 
follows. Note that if n = pq (say p > q), then n = (2g)? — (254)? If p 
and q are close together, then s = (p—q)/2 is small and t = (p+q)/2 is 
an integer only slightly larger than \/n having the property that t? —n 
is a perfect square. If you test the successive integers t > ./n, you'll 
soon find one such that n = ¢? — s? at which point you have p=t+ s, 
q=t-—s. (See Exercise 3 of §1.2 and also §3 of Chapter V.) 

Suppose that you have a quick algorithm (a probabilistic algorithm) for 
solving the equation 2? = a mod p for any prime p and any quadratic 
residue a. For example, by trying random integers and computing the 
Legendre symbol, with high probability we can find a nonresidue; then 
we can apply the algorithm described in §II.2. Suppose, however, that 
there is no good algorithm for solving x? = a mod n for a a square 
modulo n and n = pq a product of two large primes, unless one knows 
the factorization of n (in which case one can find a square root modulo 
p and modulo q and then use the Chinese Remainder Theorem to 
find a square root modulo n). Suppose that p and q are not both 
= 1 mod 4. Let Kg = n, and let Kp = {p,q} be its factorization. Let 
P =C = (Z/nZ)*/ +1, which is the set of pairs (x, —x) of residues 


3 Discrete log 97 


modulo n prime to n, where negatives are grouped with one another. 
Let f:P — C be the map z +» z* mod n. Show that this set-up is 
an example of Exercise 4 in the last section. This gives us a way to 
implement long-distance coin flips. 

6. Let n be any squarefree integer (i.e., product of distinct primes). Let d 
and e be positive integers such that de —1 is divisible by p—1 for every 
prime divisor p of n. (For example, this is the case if de = 1 mod ¢(n).) 
Prove that a? = a mod n for any integer a (whether or not it has a 
common factor with n). 

7. Prove the statements in Remark 2 about the percent of the time the 
different congruences for a/? occur in cases (i) and (ii). 
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3 Discrete log 


The RSA system discussed in the last section is based on the fact that 
finding two large primes and multiplying them together to get n is far easier 
than going in the other direction (given n, finding the two primes). There 
are other fundamental processes in number theory which apparently also 
have this “trapdoor” or “one-way” property. One of the most important is 
raising to a power in a large finite field. 

When working with the real numbers, exponentiation (finding b* to a 
prescribed accuracy) is not significantly easier than the inverse operation 
(finding log,x to a prescribed accuracy). But now suppose we have a finite 
group, such as (Z/nZ)* or F4 (with the group operation of multiplication). 
Because of the repeated-squaring method (see §1.3), one can compute b” 
for large x rather rapidly (in time which is polynomial in log x). But, if 
we’re given an element y which we know to be of the form b* (we suppose 
that the “base” b is fixed), how can we find the power of b that gives y, i.e., 
how can we compute x = log,y (where here “log” has a different but analo- 
gous meaning than before)? This question is called the “discrete logarithm 
problem.” The word “discrete” distinguishes the finite group situation from 
the classical (continuous) situation. 
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Definition. If G is a finite group, b is an element of G, and y is an 
element of G which is a power of b, then the discrete logarithm of y to the 
base b is any integer x such that b* = y. 

Example 1. If we take G = Fj, = (Z/19Z)* and let b be the generator 
2 (see Example 1 of §II.1), then the discrete logarithm of 7 to the base 2 
is 6. 

Example 2. In F§ with a a root of X? — X —1 (see Example 2 of §II.1), 
the discrete logarithm of —1 to the base a is 4. 

At the end of this section we shall briefly discuss the present state 
of algorithms to solve the discrete logarithm problem in finite fields. First 
we describe several public key cryptosystems or special purpose public key 
arrangements that are based on the computational difficulty of solving the 
discrete logarithm problem in finite fields. 

The Diffie-Hellman key exchange system. Because public key cryp- 
tosystems are relatively slow compared to classical cryptosystems (at least 
at our present stage of technology and theoretical knowledge), it is often 
more realistic to use them in a limited role in conjunction with a classical 
cryptosystem in which the actual messages are transmitted. In particular, 
the process of agreeing on a key for a classical cryptosystem can be ac- 
complished fairly efficiently using a public key system. The first detailed 
proposal for doing this, due to W. Diffie and M. E. Hellman, was based on 
the discrete logarithm problem. 

We suppose that the key for the classical cryptosystem is a large ran- 
domly chosen positive integer (or a collection of such integers). For example, 
suppose we want to use an affine matrix transformation of pairs of digraphs 


(see § III.2) 
_fa b e 
ca( 1) P+(§) mod N?, 


where 0 < a, b, c, d, e, f < N? and P is a column vector consisting of the 
numerical equivalents of two successive plaintext digraphs (i.e., altogether 
a four-letter block) in an N-letter alphabet. Once we have a randomly 
selected integer k between 0 and N12 we can take a, b, c, d, e, f to be 
the six digits in k written to the base N? (We must check that ad — bc is 
invertible modulo N? i.e., that it has no common factor with N; otherwise 
we choose another random integer k.) 


We observe that choosing a random integer in some interval is equiv- 
alent to choosing a random element of a large finite field of roughly the 
same size. Let us suppose, for example, that we want to choose a random 
positive k < N12 If our finite field is a prime field of p elements, we sim- 
ply let an element of F, correspond to an integer from 0 to p — 1 in the 
usual way; if the resulting integer is larger than N12 we reduce it modulo 
N* 
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If our finite field is F,;, we first choose an F,-basis of this field, so 
that every element corresponds to an f-tuple of elements of F,; then such 
an f-tuple gives an integer less than p/ if we consider the coordinates as 
digits of an integer written to the base p. Warning: This gives a 1-to-1 
correspondence between F,, and Z/pfZ = {0, 1, 2,...,pf — 1}. But these 
two sets have a very different structure under addition and multiplication. 
The first is a field, i.e., all of the p/ — 1 nonzero elements have inverses, 
while the second is a ring in which p/~! of the pf elements (the multiples 
of p) fail to have inverses. 

We now describe the Diffie-Hellman method for generating a random 
element of a large finite field F,. We suppose that q is public knowledge: 
everyone knows what finite field our key will be in. We also suppose that g 
is some fixed element of F,, which is also not kept secret. Ideally, g should 
be a generator of Fj; however, this is not absolutely necessary. The method 
described below for generating a key will lead only to elements of F, which 
are powers of g; thus, if we really want our random element of Fj to have 
a chance of being any element, g must be a generator. 

Suppose that two users A (Aida) and B (Bernardo) want to agree 
upon a key — a random element of Fj — which they will use to encrypt 
their subsequent messages to one another. Aida chooses a random integer 
a between 1 and gq — 1, which she keeps secret, and computes g® € Fy, 
which she makes public. Bernardo does the same: he chooses a random b 
and makes public g® The secret key they use is then g*°. Both users can 
compute this key. For example, Aida knows g° (which is public knowledge) 
and her own secret a. However, a third party knows only g* and g?. If 
the following assumption holds for the multiplicative group Fj, then an 
unauthorized third party will be unable to determine the key. 

Diffie-Hellman assumption. It is computationally infeasible to compute 
g* knowing only g* and g’. 

The Diffie-Hellman assumption is a priori at least as strong as the 
assumption that discrete logarithms cannot be feasibly computed in the 
group. That is, if discrete logarithms can be computed, then obviously the 
Diffie-Hellman assumption fails. Some people would conjecture that the 
converse implication also holds, but that is still an open question. In other 
words, no one can imagine a way of passing from g* and g® to g*° without 
first being able to determine a or 5; but it is conceivable that such a way 
might exist. 

Example 3. Suppose we’re using a shift encryption of single—letter 
message units in the 26-letter alphabet (see Example 1 of §III.1): C = 
P+B mod 26. (We’re using B rather than 6 to denote the shift key so as 
not to confuse it with the b in the last paragraph.) To choose B, take the 
least nonnegative residue modulo 26 of a random element in Fs3. Let g = 2 
(which is a generator of F53). Suppose Aida picked at random a = 29, and 
looked up Bernardo’s public 2°, which is, say, 12 € Fs3. She then knows 
that the enciphering key is 1279 = 21 € Fs3, ie., B = 21. Meanwhile, she 
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has made public 229 = 45, and so Bernardo can also find the key B = 21 by 
raising 45 to the b-th power (his secret exponent is b = 19). Of course, there 
is no security in working with such a small field; an outsider could easily 
find the discrete logarithm to the base 2 of 12 or 45 modulo 53. And in any 
case there is no security in using a shift encryption of single-letter message 
units. But this example illustrates the mechanics of the Diffie-Hellman key 
exchange system. 

The Massey—Omura cryptosystem for message transmission. We sup- 
pose that everyone has agreed upon a finite field F,, which is fixed and 
publicly known. Each user of the system secretly selects a random integer e 
between 0 and g—1 such that g.c.d.(e,q— 1) = 1 and, using the Euclidean 
algorithm, computes its inverse d = e~! mod q — 1, i.e., de = 1 mod q—1. 
If user A (Alice) wants to send a message P to Bob, first she sends him 
the element P®4. This means nothing to Bob, who, not knowing d, (or 
ea, for that matter), cannot recover P. But, without attempting to make 
sense of it, he raises it to his eg, and sends P®4°? back to Alice. The third 
step is for Alice to unravel the message part of the way by raising to the 
d,-th power; because P44°4 = P (by Proposition II.1.1), this means that 
she returns P®? to Bob, who can read the message by raising this to the 
dg-th power. 

The idea behind this system is rather simple, and it can be generalized 
to settings where one is using other processes besides exponentiation in 
finite fields. However, some words of caution are in order. First of all, notice 
that it is absolutely necessary to use a good signature scheme along with the 
Massey—Omura system. Otherwise, any person C' who is not supposed to 
know the message P could pretend to be Bob, returning to Alice P®4°°; not 
knowing that an intruder was using his own ec, she would proceed to raise 
to the d, and make it possible for C to read the message. Thus, the message 
P®4es from Bob to Alice must be accompanied by some authentification, 
i.e., Some message in some signature scheme which only Bob could have 
sent. 

In the second place, it is important that, after a user such as B or C 
has deciphered various messages P, and so knows various pairs (P, P®), 
he cannot use that information to determine e,4. That is, suppose Bob 
could solve the discrete log problem in Fj, thereby determining from P 
and P®4 what e, must be. In that case he could quickly compute d4 = 
e,: mod q — 1 and then intercept and read all future messages from Alice, 
whether intended for him or not. 

The ElGamal cryptosystem. We start by fixing a very large finite field 
F, and an element g € F4 (preferably, but not necessarily, a generator). We 
suppose that we are using plaintext message units with numerical equiv- 
alents P in F,. Each user A randomly chooses an integer a = aa, say in 
the range 0 < a < q—1. This integer a is the secret deciphering key. The 
public enciphering key is the element g* € Fy. 

To send a message P to the user A, we choose an integer k at random, 
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and then send A the following pair of elements of Fy: 
(g*, Pg**). 


Notice that we can compute g** without knowing a, simply by raising g* 
to the k-th power. Now A, who knows a, can recover P from this pair by 
raising the first element g* to the a-th power and dividing the result into 
the second element (or, equivalently, raising g* to the (q — 1 — a)-th power 
and multiplying by the second element). In other words, what we send A 
consists of a disguised form of the message — P is “wearing a mask” g?* 
— along with a “clue,” namely g*, which can be used to take off the mask 
(but the clue can be used only by someone who knows a). 

Someone who can solve the discrete log problem in F, breaks the cryp- 
tosystem by finding the secret deciphering key a from the public enciphering 
key g*. In theory, there could be a way to use knowledge of g* and g* to 
find g** — and hence break the cipher — without solving the discrete log 
problem. However, as we mentioned in our discussion of the Diffie-Hellman 
key exchange system, it is conjectured that there is no way to go from g* 
and g* to g** without essentially solving the discrete logarithm problem. 

The Digital Signature Standard. In 1991 the U.S. government’s Na- 
tional Institute of Standards and Technology (NIST) proposed a Digital 
Signature Standard (DSS). The role of DSS is expected to be analogous 
to that of the much older Data Encryption Standard (DES), i.e., it is sup- 
posed to provide a standard digital signature method for use by government 
and commercial organizations. But while DES is a classical (“private key” ) 
cryptosystem, in order to construct digital signatures it is necessary to use 
public key cryptography. NIST chose to base their signature scheme on the 
discrete log problem in a prime finite field. The DSS is very similar to a sig- 
nature scheme that was originally proposed by Schnorr (see the references 
below). It is also similar to a signature scheme of ElGamal (see Exercise 9 
below). We now describe how the DSS works. 

To set up the scheme (in order later to be able to sign messages), each 
user Alice proceeds as follows: (1) she chooses a prime q of about 160 bits 
(to do this, she uses a random number generator and a primality test); 
(2) she then chooses a second prime p that is = 1 (mod q) and has about 
512 bits; (3) she chooses a generator of the unique cyclic subgroup of F; 


of order q (by computing g? “U/a (mod p) for a random integer gp; if this 
number is # 1, it will be a generator); (4) she takes a random integer z 
in the range 0 < x < q as her secret key, and sets her public key equal to 
y = 9° (mod p). 

Now suppose that Alice wants to sign a message. She first applies a 
hash function to her plaintext (see §1), obtaining an integer h in the range 
0 <h <q. She next picks a random integer k in the same range, computes 
g* (mod p), and sets r equal to the least nonnegative residue modulo q of 
the latter number (i.e., g* is first computed modulo p, and the result is then 
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reduced modulo the smaller prime q). Finally, Alice finds an integer s such 
that sk = h+ ar (mod q). Her signature is then the pair (r,s) of integers 
modulo gq. 

To verify the signature, the recipient Bob computes u; = s~*h (mod q) 
and u2 = s~'r (mod q). He then computes g¥1y"? (mod p). If the result 
agrees modulo q with r, he is satisfied. (Note that g¥y¥2 = g% (*t2r) — 
g* (mod p).) 

This signature scheme has the advantage that signatures are fairly 
short, consisting of two 160-bit numbers (the magnitude of q). On the other 
hand, the security of the system seems to depend upon intractability of the 
discrete log problem in the multiplicative group of the rather large field Fp. 
Although to break the system it would suffice to find discrete logs in the 
smaller subgroup generated by g, in practice this seems to be no easier than 
finding arbitrary discrete logarithms in F5. Thus, the DSS seems to have 
attained a fairly high level of security without sacrificing small signature 
storage and implementation time. 

Algorithms for finding discrete logs in finite fields. We first suppose 
that all of the prime factors of g—1 are small. In this case we sometimes say 
that q—1 is “smooth.” With this assumption there is a fast algorithm for 
finding the discrete log of an element y € F4 to the base b. For simplicity, we 
shall suppose that 6 is a generator of Fj. We now describe this algorithm, 
which is due to Silver, Pohlig and Hellman. 

First, for each prime p dividing q — 1, we compute the p-th roots of 
unity rp,j = bi(q-1)/P for 7 = 0,1,...,p—1. (As usual, we use the repeated 
squaring method to raise b to a large power.) With our table of {rp,;} we 
are ready to compute the discrete log of any y € Fj. (Note that, if b is 
fixed, this first computation needs only be done once, after which the same 
table is used for any y.) 

Our object is to find x, 0 < x < q—1, such that b® = y. Ifq—1= Il, p* 
is the prime factorization of qg—1, then it suffices to find x mod p® for each 
p dividing q — 1; from this z is uniquely determined using the algorithm 
in the proof of the Chinese Remainder Theorem (Proposition 1.3.3). So we 
now fix a prime p dividing g — 1, and show how to determine z mod p®. 

Suppose that 2 = 29 +. 21p +++: +2q—1p*%~! (mod p*) with 0 < 2; < p. 
To find zo we compute y(¢~1)/?, We get a pth root of 1, since y?—! = 1. 
Since y = b*, it follows that y'{—))/? = 5(9-1)/p — pro(a-1)/P =, ,.. Thus, 
we compare y(?-1)/P with the {rp,;}o<j<p and set 2p equal to the value of 
j for which y(0-)/P = ry ;. 

Next, to find 2), we replace y by y; = y/b*°. Then y; has discrete 
log z — 29 = 21p + ++: Lq-1p*! (mod p%). Since y; is a p-th power, we 


have y@-)/? = 1 and y@ D/P” = ple-20)(a-V)/e? = plerteert+-a-D)/P = 


2 
p21(9-1)/P — r, ,. So we can compare y{7-)/?” with {rp ;} and set x, equal 
Pz. Te Yt Psi 
to the value of j for which y{2-)/? =r, ;. 


It should now be clear how we can proceed inductively to find all zo, 21, 
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++; Zq-1. Namely, for each i = 1,2,...,a—1 set 


pind 
Yi = y/Pro tes eae ; 


which has discrete log congruent mod p* to z;p'+---+2q_1p%~!. Since y; is 
‘< a 7 x i41 
a p'-th power, we have y(4 1)/P" _ 1 and yl D/P" — p(aeteisipt--)(q-1)/p 


= bt(9-1)/P = 7, ,,. So we set x; equal to the value of j for which ype 


=1p,j- 

When we are done we will have 2 mod p®. After doing this for each 
p\q — 1, we finally use the Chinese Remainder Theorem to find z. 

This algorithm works well when all of the primes dividing g — 1 are 
small. But clearly the computation of the table of {rp,;} and the comparison 


of the yr! ee with this table will take a long time if qg—1 is divisible by 
a large prime. (By “large” we mean of at least about 20 digits. If plq —1 is 
smaller than about 102°, then one can combine the Silver-Pohlig—Hellman 
algorithm with Shanks’ “giant step — baby step” method; see pp. 9, 575- 
576 of Knuth, Vol. 2.) 

Example 4. Find the discrete log of 28 to the base 2 in F3, using the 
Silver-Pohlig-Hellman algorithm. (2 is a generator of F3z.) 

Solution. Here 37 — 1 = 2? - 3. We compute 218 = 1 (mod 37), and 
so r2,9 = 1, r21 = —1. (For p = 2, always {ro;} = {+1}.) Next, 296/$ = 
26, 2736/3 = 10 (mod 37), and so {r3,;} = {1, 26, 10}. Now let 28 = 
27 (mod 37). We first take p = 2 and find x mod 4, which we write as 
ro + 221. We compute 28°6/2 = 1 (mod 37), and hence zo = 0. We then 
compute 28°6/4 = —1 (mod 37), and hence 2; = 1, ie., z = 2 (mod 4). 
Next we take p = 3 and find x mod 9, which we write as xo + 32,. (Of 
course, for each p the 2; are defined differently.) To find x9, we compute 
2836/3 = 26 (mod 37), and so tp = 1. We then compute (28/2)°9/9 = 144 = 
10 (mod 37); thus, 7; = 2, and soz = 1+2-3=7 (mod 9). It remains 
to find the unique x mod 36 such that 2 = 2 (mod 4) and z =7 (mod 9). 
This is 2 = 34. Thus, 28 = 2°4 in F4,. 

The index—calculus algorithm for discrete logs. The reader may want 
to skip this subsection for now, or read it lightly, and come back to it for a 
closer examination while reading §V.3, since the index—calculus algorithm 
for computing discrete logs in finite fields has much in common with the 
factor—base method for factoring large integers. 

Here we shall suppose that q = p” is a fairly large power of a small 
prime p, and b is a generator of Fj. The index—calculus algorithm finds for 
any y € F} the value of x mod q — 1 such that y = 6”. 

Let f(X) € F,[X] be any irreducible polynomial of degree n; then 
F, is isomorphic to the residue ring F,[X]/f(X). Any element a € Fy = 
F,[X]/f(X) can be written (uniquely) as a polynomial a(X) € F,[X] of 
degree at most n—1. In particular, our base b = b(X) is such a polynomial. 
The “constants” are the elements of F, C Fy. 
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We first note that b’ = 6(7-))/(®-}) is a generator of F*, (see Exercise 17 
of §II.1). Thus, we immediately know the discrete logs to the base b of these 
constants once we solve the discrete log problem in FF (to the base b’). But 
we have assumed that p is small, and so a table of such discrete logs can 
easily be constructed. In the important special case p = 2, in fact, the only 
nonzero constant is 1, whose discrete log to any base is 0. In what follows 
we shall suppose that we can easily find the discrete log of a constant. 

For the rest of this section we shall let ind(a(X)) (from the word 
“index” ) denote the discrete log of a(X) € F3 to the base b(X). The base 
b(X) is fixed throughout the discussion, and so will not be indicated in the 
notation. 

There are two basic stages of the index—calculus algorithm. The first 
stage is called a “precomputation,” because it does not depend on the ele- 
ment y(X) € Fj whose discrete log we ultimately want to determine. It has 
only to be carried out once, and can then be used for many computations of 
various discrete logs to the fixed base b(X). (Recall that there was also an 
analogous precomputation stage in the Silver-Pohlig—Hellman algorithm, 
namely, the compilation of the table of {rp,;}.) 

We first choose a subset B C Fy which will serve as our “basis.” 
Usually B consists of all monic irreducible polynomials over F, of degree 
<m, where m < n is determined in some optimal way so that the set B has 
a suitable size h = #(B) of intermediate magnitude between p = #(F,) 
and q = p" = #(F,). The precomputation stage consists in determining 
the discrete logs of all a(X) € B, as follows. 

Choose a random integer t between 1 and g—2, and compute b' € F,, 
i.e., compute the polynomial c(X) € F,[X] of degree < n such that 


c(X) = b(X)* mod f(X). 


(Here one uses the repeated squaring method, at each step reducing mod- 
ulo f(X).) Factor out the leading coefficient cp from c(x), and determine 
whether or not the resulting monic polynomial can be written as a product 
of the a(X) € B, i.e., whether or not c(X) can be written in the form 


e(X) = eo || a(X)**. 
acB 

One way to determine this is to run through all a(X) € B and divide c(X) 
successively by a(X)%* (where Qc,q is the highest power of a(X) which 
divides c(X) in F,[X]). If the constant co is all that remains after dividing 
by powers of all of the a(X) € B, then c(X) has the above form; otherwise, 
start over again at the beginning of this paragraph with a different random 
integer t. (A second way — in some cases quicker — to determine whether 
c(X) factors into a product of a(X) € B is simply to factor c(X) using 
an algorithm for factoring elements of F,|[X]. For a description of a good 
algorithm for this purpose (due to Berlekamp), see Volume II of Knuth, 
§4.6.2.) 
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Now suppose that we have found a c(X) = b(X)’ mod f(X) which 
has the desired type of factorization. Taking the discrete log of both sides 
of the above equality, we obtain 


ind(c(X)) — ind(co) = Ss Q,aind(a(X)), 
acB 


where equality here should be interpreted as congruence modulo q—1 (since 
the discrete log is defined only modulo q — 1). The left side of this equality 
is known, since ind(c(X)) = t and the discrete logs of constants are as- 
sumed to be known. The coefficients a,¢,q on the right are also known. The 
unknowns are the h values ind(a(X)), a(X) € B, on the right. 

Thus, we have obtained a linear equation in Z/(q — 1)Z with h un- 
knowns. Now suppose we continue to choose random integers t until we 
obtain a large number of different c(X)’s which factor into a product of 
a(X)’s. As soon as we obtain h independent congruences of the type 


t —ind(co) = a Qe,aind(a(X)) mod q—1 
acB : 


(here “independent” means that the determinant of the coefficient matrix 
{Qc,a} is prime to q — 1), then we can solve the system for the unknowns 
modulo gq — 1. (See §III.2 for a discussion of linear algebra modulo N = 
q — 1.) This completes the first stage of the index—calculus algorithm. The 
precomputation has given us a large “data—base,” namely the discrete logs 
of all a(X) € B, from which to compute any discrete log we are interested 
in. 

Before proceeding to a description of the second stage of the index— 
calculus algorithm, we should comment on the choice of m, which was not 
specified when we described B C F,[X] as the set of all monic irreducible 
polynomials of degree < m. The size h of the set B grows rapidly as m in- 
creases. For example, if m is prime, then we saw (Corollary to Proposition 
II.1.8) that in degree m alone there are (p™ — p)/m monic irreducible poly- 
nomials. Since we are required to find at least h different c(X)’s which give 
us the h x h system of independent linear congruences in the h unknowns 
ind(a(X)), and then we have to solve the system, it would be helpful if h 
were not too large, i.e., if m were not too large. On the other hand, if m is 
small, then a “typical” monic polynomial co 1¢(X) of degree < n—1 is not 
likely to factor into a product of a(X) of degree < m; it is more likely to 
have at least one irreducible factor of degree > m. That is, if m is small, 
it will take us an inordinate amount of time to make even a single lucky 
random choice of t for which c(X) = b(X)* mod f(X) has the desired type 
of factorization. Thus, m must be not too small, though quite a bit smaller 
than n. The optimal choice of m — depending, of course, on p and n — 
requires a lengthy analysis of probabilities and time estimates, which go 
beyond the scope of this book. For example, when p = 2 and n = 127, the 
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best choice turns out to be m = 17 (in which case h = 16510). The value 
q = 2!27 is a popular choice, because #(Foi27) = 2127 _ 1 is a Mersenne 
prime. 

We now return to the index-calculus algorithm, and describe the fi- 
nal stage. Here we suppose that y(X) € Fj is the element whose dis- 
crete log we wish to compute, and that stage one has already given us 
the values of ind(a(X)) for all a(X) € B. We again choose a random t 
between 1 and q — 2, and compute y, = yb‘, i.e., the unique polynomial 
yi(X) € F,[X] of degree < n satisfying yi1(X) = y(X)b(X)* mod f(X). 
As in the first stage of the algorithm, we test whether y,(X) factors 
into a constant yo times a product of powers of a(X), a(X) € B. If 
not, we choose another random t, and so on, until we finally have an 
integer t such that yi(X) = yo] [eg a(X)%*. As soon as this happens, 
we are done, because ind(y) = ind(y,) — t, by the definition of y,; and 
ind(y1) = ind(yo) + >> @aind(a(X)), in which we know all of the terms on 
the right. This completes the description of the index—calculus algorithm. 


It should be mentioned that in the popular case p = 2, an improved 
method due to D. Coppersmith has significantly speeded up the process of 
finding discrete logs. For this reason, a discrete log cryptosystem using F3, 
is no longer regarded as secure unless n is of the order of 1000. Despite this, 
these fields F2. remain popular because they lend themselves to efficient 
programming. For a good survey (covering what was known as of 1985), 
the reader is referred to A. Odlyzko’s article (see References below). 

If g = p” is an odd prime power which is k bits long, it turns out 
that, roughly speaking, the order of magnitude of time needed to solve 
the discrete log problem in Fj is comparable to what is needed to factor 
a k-bit integer. That is, from an empirical point of view, the discrete log 
problem seems to be about as difficult as factoring (though no one has been 
able to prove a theorem to this effect). In fact, when we discuss factoring 
algorithms and time estimates for them in the next chapter, we will see that 
one of the fundamental methods of factoring large integers bears a striking 
resemblance to the index—calculus algorithm for finding discrete logs. 

Thus, at this point it is too early to say whether the public key cryp- 
tosystems of the RSA type (based on the difficulty of factoring integers) or 
the discrete log cryptosystems will eventually prove to be the more secure. 


Exercises 


Note: Exercises 4, 6, 7(c) and 8 should be attempted only if you have the 

use of a computer with multiple precision arithmetic programs. (All that is 

really needed is a program for computing a® mod m for very large integers 

a, b and m; recall that a~! mod p can be computed by taking a?~2.) 

1. If one has occasion to do a lot of arithmetic in a fixed finite field F, 
which is not too large, it can save time first to compose a complete 
“table of logarithms.” In other words, choose a generator g of F, and 
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make a 2-column list of all pairs n, g” as n goes from 1 to q— 1; then 
make third and fourth columns listing all pairs a, log,a. That is, list 
the elements a of Fj in some convenient order in the third column, 
and then run down the first two columns, putting each n in the fourth 
column next to the a which is g”. For example, to do this for Fg (see 
Example 2 in §II.1), we choose g = a to be a root of X? — X — 1, and 
make the following table: 


n g” a logga 
1 a 8 
2 atl -1 4 
3 -a+l1 a 1 
4 -1 a+l 2 
5 —a@ a-1 7 
6 -a-1 -a 5 
7 a-l -at+l1 3 
8 1 -a-1 6 


Then multiplication or division involves nothing more than addition 
or subtraction modulo q — 1 and looking at the table. For example, to 
multiply a—1 by —a—1, we find the two numbers in the third column, 
add the two corresponding logarithms: 7 + 6 = 5 mod 8, and then find 
the answer —a in the second column next to 5. 

(a) Make a log table for F3,, and use it to compute 16-17, 19-13, 
1/17, 20/23. 

(b) Make a log table for F3, and use it to compute the following (where 
a is a root of X*+ X +1; your answers should not involve any higher 
power of a than a”): (a+1)(a? +a), (a? +a+1)(a? +1), 1/(a? +1), 
a/(o? +a+4+1). 

At first glance, it may seem that we could use the cyclic group 
(Z/p*Z)* (see Exercise 2(a) in §II.1) instead of F¥ as a setting for 
the discrete logarithm problem. However, the discrete log problem for 
(Z/p*Z) for a > 1 turns out to be essentially no more time-consuming 
(even if q is fairly large) than for a = 1 (ie., Fp). More precisely, 
using the same technique that is given below in this exercise, one can 
prove that, once one solves the discrete log problem modulo p, going 
the rest of the way (i-e., solving it modulo p%) takes polynomial time in 
log(p*) = alog p. (Recall that no algorithm is known which solves the 
discrete log problem modulo p for large p in polynomial time in log p; 
and experts doubt that such an algorithm exists.) In this exercise, we 
show that in the case p = 3 there’s a straightforward algorithm which 
solves the discrete log problem modulo 3° in time which is polynomial 
ina. 

Thus, suppose we take g = 2 (it is easy to show that 2 is a generator of 
(Z/3°Z)* for any a), we have some integer a not divisible by 3, and we 
want to solve the congruence 2” = a mod 3% Prove that the following 
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algorithm always finds x and takes polynomial time in a, and estimate 
(using the O-notation) the number of bit operations required to find 
Lx: 

(i) Show that the discrete log problem is equivalent to the congruence 
with a moved to the left (i.e., 27a = 1). Next, show that without loss of 
generality we may assume that a = 1 mod 3 and z is even. Thus, we can 
replace our original congruence with the congruence 4*a = 1 mod 3% 
(ii) Write 2 = 29 +321 +--:+3%-?24_2, where the x; are base-3 digits. 
Take x_; = 0. Then the congruence 


- 
4zot3eit--+3°°"23-2q = 1 mod 3! (*); 


holds for 7 = 1. Set g,; = 4. In the course of the algorithm as 
a by-product we will compute g; = 43°"" mod 3%. Set a, = a, 
and for j > 1 define a; to be the least positive residue mod 3° of 
4t0+821+---+3'~°2;-2g. we will compute a; below as we go along. 

(iii) Suppose that 7 > 1 and we have found zo,...,2;-3 such that the 
congruence (*);-1 holds (i.e., (*) with j — 1 in place of 7). Further 
suppose that we have computed g;-1 = 4°-” mod 3% and also a;-1. 
First set 2;~-2 equal to (1 —a;~-1)/3/-? modulo 3. (Notice that a;_1 = 
1 mod 33-' because of (*);—1.) Next, compute a; = g;7;’a;-1 mod 3% 
Finally, if 7 < a, compute g; by raising g;_1 to the 3-rd power, working 
modulo 3% 

(iv) When you reach j = a, you’re done. 

3. You and your friend agree to communicate using affine enciphering 
transformations C = AP +B mod N (see Examples 3 and 4 in §III.1, 
where lowercase letters a and b were used for the coefficients of the 
transformation). Your message units are single letters in the 31-letter 
alphabet with A—Z corresponding to 0—25, blank=26, .=27, ?=28, 
!=29, ’=30. You regard the key Kg = (A,B) as an element A+ Bi 
in the field of 31? elements (where i denotes a square root of —1 in 
that field). You also agree to exchange keys using the Diffie-Hellman 
system, and to choose g = 4+ 7%. Then you randomly choose a secret 
integer a = 209. Your friend sends you her g’ = 1+ 19%. 

(a) Find the enciphering key. 

(b) What element of F9g; must you send your friend in order that she 
can also find the key? 

(c) Find the deciphering transformation. 

(d) Read the message “BUVCFIWOUJTZ!H.” 

4. You receive the ciphertext “VHNHDOAM,” which was sent to you 
using a 2 x 2 enciphering matrix 


(: ) 


3 Discrete log 109 


applied to digraphs in the usual 26-letter alphabet. The enciphering 
matrix was determined using the Diffie-Hellman key exchange method, 
as follows. Working in the prime field of 3602561 elements, your corre- 
spondent sent you g® = 983776. Your randomly chosen Diffie-Hellman 
exponent a is 1082389. Finally, you agree to get a matrix from a key 
number Kg € F 3602561 by writing the least nonnegative residue of Kz 
modulo 26* in the form a- 26° + 6-26? + c- 26 +d (where a, b, c, d are 
digits in the base 26). If the resulting matrix is not invertible modulo 
26, replace Kg by Kg +1 and try again. Take as the enciphering ma- 
trix the first invertible matrix that arises from the successive integers 
starting with Kp. 

(a) Use this information to find the enciphering matrix. 

(b) Find the deciphering matrix, and read the message. 

Suppose that each user A has a secret pair of transformations f4 and 
i from P to P, where P is a fixed set of plaintext message units. 
They want to transmit information securely using the Massey-Omura 
technique, i.e., Alice sends f4(P) to Bob, who then sends fa(fa(P)) 
back to her, and so on. Give the conditions that the system of f,’s 
must satisfy in order for this to work. 

Let p be the Fermat prime 65537, and let g = 5. You receive the mes- 
sage (29095, 23846), which your friend composed using the ElGamal 
cryptosystem in FS, using your public key g* Your secret key, needed 
for deciphering, is a = 13908. You have agreed to convert integers in 
F, to trigraphs in the 31-letter alphabet of Exercise 3 by writing them 
to the base 31, the digits in the 31?—, the 31— and 1— place being the 
numerical equivalents of the three letters in the trigraph. Decipher the 
message. 

(a) Show that choosing F, with p = 22" +1 a Fermat prime is an 
astoundingly bad idea, by constructing a polynomial time algorithm 
for solving the discrete log problem in FF (i.e., an algorithm which is 
polynomial in log p). To do this, suppose that g is a generator (e.g., 5 
or 7, as shown in Exercise 15 of §II.2) and for a given a you want to 
find z, whereO<2<p-1= 22 such that g* = a mod p. Write x in 
binary, and pattern your algorithm after the algorithm for extracting 
square roots modulo p that was described at the end of §II.2. 

(b) Find a big-O estimate (in terms of p) for the number of bit opera- 
tions required to find the integer + by means of the algorithm in part 
(a). 

(c) Use the algorithm in part (a) to find the value of k in Exercise 6. 
Suppose that your plaintext message units are 18-letter blocks written 
in the usual 26-letter alphabet, where the numerical equivalent of such 
a block is an 18-digit base-26 integer (written in order of decreasing 
powers of 26). You receive the message 


(82746592004375034872957717, 164063768437915425954819351), 
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10. 


11. 


12. 


which was enciphered using the ElGamal cryptosystem in the prime 
field of 297262705009139006771611927 elements, using your public key 
g°. Your secret key is a = 10384756843984756438549809. Decipher the 
message. 

Here is a scheme (also due to ElGamal) for sending a signature using 
a large prime finite field F,. Explain why Alice can do all the steps 
required to send her signature (in time polynomial in log p), why Bob 
can verify that Alice must have sent the signature, and why the system 
would fail if an imposter could solve the discrete logarithm problem in 
F*. 

We suppose that a fixed p and a fixed g € Fare publicly known. Each 
user A also chooses a random integer a4, 0 < a4 < p—1, which is kept 
secret, and publishes y4 = g*4. 

To send her signature — which is composed of message units with 
numerical equivalents S in the range 0 < S < p—1— Alice first chooses 
a random integer k prime to p—1. She computes r = g* mod p, and then 
solves the following congruence for the unknown z: g° = y"r™ mod p. 
She sends Bob the pair (r, x) along with her signature S. Bob verifies 
that g° is in fact = y"r* mod p, and he is happy, secure in his confidence 
that Alice did send the message S. 

Using the Silver—-Pohlig—Hellman algorithm, find the discrete log of 153 
to the base 2 in F{,,. (2 is a generator of Fi,.) 

(a) What is the percent likelihood that a random polynomial over F2 of 
degree exactly 10 factors into a product of polynomials of degree < 2? 
What is the likelihood that a random nonzero polynomial of degree at 
most 10 factors into such a product? 

(b) What is the probability that a random monic polynomial over F3 of 
degree exactly 10 factors into a product of polynomials of degree < 2? 
What is the probability that a random monic polynomial of degree at 
most 10 factors into such a product? 

For n > m > 1, let P,(n,m) denote the probability that a random 
monic polynomial over F, of degree at most n is a product of irre- 
ducible factors all of degree < m. 

(a) Prove that for any fixed n and m, P(n,m) = limp—co Pp(n,m) 
exists and is strictly between 0 and 1. 

(b) Find an explicit expression for P(n, 2). 

(c) Compute P(n, 2) exactly for all n < 7. 
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In this section we describe another type of public key cryptosystem, which is 
based on the so-called “knapsack problem.” Suppose you have a large knap- 
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sack which you are packing in preparation for a long hike in the wilderness. 
You have a large number of items (say, k items) of volume 1;, i = 0,...,k—1, 
to fit into the knapsack, which holds a total volume V. Suppose that you 
are an experienced knapsack packer, and can always fit items in with no 
wasted space. You want to take the biggest load possible, so you want to 
find some subset of the k items that exactly fills the knapsack. In other 
words, you want to find some subset J C {1,...,k} such that }0,-,;u,=V, 
if such a subset exists. This is the general knapsack problem. We shall fur- 
ther assume that V and all of the v; are positive integers. An equivalent 
way to state the problem is then as follows: 

The knapsack problem. Given a set {v;} of k positive integers and an 
integer V, find a k-bit integer n = (€,—1€k-2--- €1€0)2 (where the e; € {0,1} 
are the binary digits of n) such ary €,v; = V, if such an n exists. 

Note that there may be no solution n or many solutions, or there might 
be a unique solution, depending on the k-tuple {v;} and the integer V. 

A special case of the knapsack problem is the superincreasing knapsack 
problem. This is the case when the v;, arranged in increasing order, have 
the property that each one is greater than the sum of all of the earlier 1;. 

Example 1. The 5-tuple (2, 3,7, 15,31) is a superincreasing sequence. 

It is known that the general knapsack problem is in a very difficult 
class of problems, called “NP-complete” problems. This means that it is 
equivalent in difficulty to the notorious “traveling salesman problem.” In 
particular, if the central conjecture in complexity theory is true, as most 
everyone believes it is, then there does not exist an algorithm which solves 
an arbitrary knapsack problem in time polynomial in k and log B, where 
B is a bound on the size of V and the 1,;. 

However, the superincreasing knapsack problem is much, much easier 
to solve. Namely, we look down the v;, starting with the largest, until we 
get to the first one that is < V. We include the corresponding i in our 
subset I (i.e., we take «; = 1), replace V by V — 1, and then continue down 
the list of v; until we find one that is less than or equal to this difference. 
Continuing in this way, we eventually either obtain a subset of {v;} which 
sums to V, or else we exhaust all of {v;} without getting V —}°,., vi equal 
to 0, in which case there is no solution. We now write the algorithm in a 
more formal way that could be easily converted to a computer program. 

The following polynomial time algorithm solves the knapsack problem 
for a given superincreasing k-tuple {v;} and integer V: 

1. Set W equal to V, and set j = k. 
2. Starting with e;_; and decreasing the index of e, choose all of the « 

equal to 0 until you get to the first i — call it ig — such that v;,, < W. 

Set Ei. = 1. 

3. Replace W by W — v,,, set j = ip, and, if W > 0, go back to step 2. 
4. If W =0, you’re done. If W > 0, and all of the remaining v; are > W, 
then you know there is no solution n = (€x-1---€0)2 to the problem. 

Notice that the solution (if there is one) is unique. 
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Example 2. Let the v; be as in Example 1, and take V = 24. Then, 
working from right to left in our 5-tuple {2, 3,7, 15,31}, we see that «4 = 0, 
€3 = 1 (at which point we replace 24 by 24 — 15 = 9), eg = 1 (at which 
point we replace 9 by 9 — 7 = 2), €, = 0, 9 = 1. Thus, n = (01101). = 13. 

We now describe how to construct the knapsack cryptosystem (also 
called the Merkle-Hellman system). We first suppose that our plaintext 
message units have k-bit integers P as their numerical equivalents. For 
example, if we’re working with single letters in the 26-letter alphabet, then 
every letter corresponds to one of the 5-bit integers from 0 = (00000). to 
25 = (11001). in the usual way. 

Next, each user chooses a superincreasing k-tuple {vo,...,vz—1}, an 
integer m which is greater than Ss v;, and an integer a prime to m, 
0 < a<_m. This is done by some random process. For example, we could 


choose an arbitrary sequence of k + 1 positive integers z;, 1 = 0,1,...,k, 
less than some convenient bound; set vp = zo, Vi = 2 +Uj-1 +Ui-2 +--+ +09 
fori =1,...,4—1; and set m equal to z, + Dar v;. Then one can choose 


a random positive a9 < m and take a to be the first integer > ap that 
is prime to m. After that, one computes b = a~! mod m (i.e., b is the 
least positive integer such that ab = 1 mod m), and also computes the 
k-tuple {w;} defined by w; = av; mod m (i.e., w; is the least positive 
residue of av; modulo m). The user keeps the numbers v;, m, a, and 6 
all secret, but publishes the k-tuple of w;. That is, the enciphering key is 
Kr = {wo,..., Wei}. The deciphering key is Kp = (b,m) (which, along 
with the enciphering key, enables one to determine {vo,..., ve—1}). 

Someone who wants to send a plaintext k-bit message P = (€,_-1€4~2 
-++€1€9)2 to a user with enciphering key {w;} computes C = f(P) = 
pee €;w;, and transmits that integer. 

To read the message, the user first finds the least positive residue V of 
bC modulo m. Since bC = > ebwi = > ev; mod m (because bw; = bav; = 
v; mod m), it follows that V = }~ €,v;. (Here we are using the fact that both 
V < mand )o «uv; < 55; < m to convert the congruence modulo m to 
equality.) It is then possible to use the above algorithm for superincreasing 
knapsack problems to find the unique solution (€,_1---€9)2 = P of the 
problem of finding a subset of the {v;} which sums exactly to V. In this 
way we recover the message P. 

Note that an eavesdropper who knows only {w;} is faced with the 
knapsack problem C = >> €,w;, which is not a superincreasing problem, 
because the superincreasing property of the k-tuple of v; is destroyed when 
v; is replaced by the least positive residue of av; modulo m. Thus, the above 
algorithm cannot be used, and, at first glance, the unauthorized person 
seems to be faced with a much more difficult problem. We shall return to 
this point later. 

Example 3. Suppose that our plaintext message units are single let- 
ters with 5-bit numerical equivalents from (00000). to (11001)2, as above. 
Suppose that our secret deciphering key is the superincreasing 5-tuple 
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in Example 1. Let us choose m = 61, a = 17; then b = 18 and the 
enciphering key is (34,51,58, 11,39). To send the message ‘WHY’ our 
correspondent would compute ‘W’= (10110)2 + 51+ 58+ 39 = 148, 
‘H’= (00111). + 344 51+ 58 = 143, ‘Y’= (11000). + 11+ 39 = 50. 
To read the message 148, 143,50, we first multiply by 18 modulo 61, ob- 
taining 41, 12,46. Proceeding as in Example 2 with V = 41, V = 12, and 
V = 46, we recover the plaintext (10110)2, (00111)2, (11000)>. 

Of course, as usual there is no security using single-letter message units 
with such a small value of k = 5; Example 3 is meant only to illustrate the 
mechanics of the system. 

For a while, many people were optimistic about the possibilities for 
knapsack cryptosystems. Since the problem of breaking the system is in a 
very difficult class of problems (NP-complete problems), they reasoned, the 
system should be secure. 

However, there was a fallacy in that reasoning. The type of knapsack 
problem C' = >> €;w; that must be solved, while not a superincreasing knap- 
sack problem, is nevertheless of a very special type, namely, it is obtained 
from a superincreasing problem by a simple transformation, i.e., multiply- 
ing everything by a and reducing modulo m. In 1982, Shamir found an 
algorithm to solve this type of knapsack problem that is polynomial in k. 
Thus, the original Merkle-Hellman cryptosystem cannot be regarded as a 
secure public key cryptosystem. 

One way around Shamir’s algorithm is to make the knapsack system 
a little more complicated by using a sequence of transformations of the 
form x ++ ax mod m for different a and m. For example, we might sim- 
ply use two transformations corresponding to (a1, ) and (a2,mg). That 
is, we first replace our superincreasing sequence {v;} by {wi}, where w; 
is the least positive residue of a,v; mod mj , and then obtain a third 
sequence {u;} by taking the least positive residue u; = aw; mod mg. 
Here we choose random mj , m2, a, and az subject to the conditions 
mm, > Yu, mz > km, and g.c.d.(a,,™) = g.c.d.(az, m2) =) 1. 
The public key is then the k-tuple of u;, and the enciphering function 
is C = f(P) = ae €;uj, where P = (€¢-1---€1)2. To decipher the ci- 
phertext using the key Kp = (b1,m,b2,m2) (where b; = ap. mod m4 
and be = ag 1 mod M2), we first compute the least positive residue of boC’ 
modulo mg, and then take the result, multiply it by b,, and reduce modulo 
my. Since beC = > €,w; mod ma, and since m2 > km, > >> wi, it follows 
that the result of reducing b2C mod mz is equal to }- €;w;. Then when we 
take b; }- €;w; mod m, we obtain )> €;v;, from which we can determine the 
€; using the above algorithm for a superincreasing knapsack problem. 

At the present time, although there is no polynomial time algorithm 
which has been proved to give a solution of the iterated knapsack problem 
(i.e., the public key cryptosystem described in the last paragraph), Shamir’s 
algorithm has been generalized by Brickell and others, who show that it- 
erated knapsack cryptosystems are vulnerable to efficient cryptanalysis. In 
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any case, after Shamir’s breakthrough, most experts lost confidence in the 
security of a public key cryptosystem of this type. 

An as yet unbroken knapsack. We now describe a method of message 
transmission based on a knapsack-type one-way function that uses poly- 
nomials over a finite field. The cryptosystem is due to Chor and Rivest; 
we shall describe a slightly simplified (and less efficient) version of their 
construction. 

Again suppose that Alice wants to be able to receive messages that 
are k-tuples of bits €9,...,€,-1. (The number k is selected by Alice, as 
described below.) Her public key, as before, is a sequence of positive integers 
Up,-+-)Uk—1, constructed in the way described below. This time Bob must 
send her not only the integer c = }\e€,v; but also the sum of the bits 
c = > €j- 

Alice constructs the sequence v; as follows. All of the choices described 
in this paragraph can be kept secret, since it is only the final k-tuple 
U0,;--+;Uk—1 that Bob needs to know in order to send a message. First, 
Alice chooses a prime power q = pf such that q— 1 has no large prime fac- 
tors (in which case discrete logs can feasibly be computed in F4, see §3) and 
such that both p and f are of intermediate size (e.g., 2 or 3 digits). In the 
1988 paper by Chor and Rivest the value q = 19724 was suggested. Next, 
Alice chooses a monic irreducible polynomial F(X) € F,[X] of degree f, 
so that F, may be regarded as F,[X]/F(X). She also chooses a generator 
g of Fj, and an integer z. Alice makes these choices of F’, g, and z in some 
random way. 

Let t € Fy = F,[X]/F(X) denote the residue class of X. Alice chooses 
k to be any integer less than both p and f. For j = 0,...,k—1, she computes 
the nonnegative integer b; < q — 1 such that g =t+ J. (By assumption, 
Alice can easily find discrete logarithms in Fj.) Finally, Alice chooses at 
random a permutation 7 of {0,...,k — 1}, and sets v; equal to the least 
nonnegative residue of b,(;) + z modulo gq — 1. She publishes the k-tuple 
(vo,.--,Vk—1) as her public key. 

Deciphering works as follows. After receiving c and c’ from Bob, she 
first computes g°~*° , which is represented as a unique polynomial G(X) € 
F,[X] of degree < f. But she knows that this element must also be equal to 
Il 97°" = [](t + 7(y))@, which is represented by the polynomial [[(X + 
m(j))*3. Since both G(X) and [](X +7(j))* have degree < f and represent 
the same element modulo F(X), she must have 


G(X) = [](x+2G))*, 


from which she can determine the e; by factoring G(X) (for which efficient 
algorithms are available, see Vol. 2 of Knuth). 
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Exercises 


1. 


For each of the following sequences and “volumes,” decide whether the 
knapsack problem is superincreasing and how many solutions (if any) 
it has: (a) {2,3, 7,20, 35,69}, V = 45; (b) {1,2,5,9, 20,49}, V = 73; 
(c) {1,3,7,12, 22,45}, V = 67; (d) {2,3,6,11,21,40}, V = 39; (e) 
{4,5, 10, 30, 50, 101}, V = 186; (f) {3, 5,8, 15, 28,60}, V = 43; 

(a) Show that the superincreasing sequence with the smallest v,’s is 
the one with v; = 2% 

(b) Show that a superincreasing knapsack problem with v; = 2* always 
has a solution n, namely n = V, and that for no other superincreas- 
ing sequence does the corresponding knapsack problem always have a 
solution. 

Show that any sequence of positive integers {v;} with vi41 > 2v; for 
all 7 is superincreasing. 

Suppose that plaintext message units are single letters in the usual 
26-letter alphabet with A—Z corresponding to 0—25. You receive the 
sequence of ciphertext message units 14, 25, 89, 3, 65, 24, 3, 49, 89, 24, 
41, 25, 68, 41, 71. The public key is the sequence {57, 14, 3, 24,8} and 
the secret key is b = 23, m = 61. 

(a) Try to decipher the message without using the deciphering key; 
check by using the deciphering key and the algorithm for a superin- 
creasing knapsack problem. 

(b) Use the above public key to send the message TENFOUR. 
Suppose that plaintext message units are trigraphs in the 32-letter 
alphabet with A—Z corresponding to 0—25, blank=26, ?=27, !=28, 
.=29, ’=30, $=31. You receive the sequence of ciphertext message units 
152472, 116116, 68546, 165420, 168261. The public key is the sequence 
{24038, 29756, 34172, 34286, 38334, 1824, 18255, 19723, 143, 17146, 
35366, 11204, 32395, 12958, 6479}, and the secret key is b = 30966, 
m = 47107. Decipher the message. 

Suppose that plaintext message units are digraphs in the 32-letter al- 
phabet of Exercise 5. You receive the sequence of ciphertext message 
units 33219, 7067, 18127, 43099, 37953, which were enciphered using 
a two-iteration knapsack system with public key {23161, 6726, 4326, 
16848, 21805, 11073, 120, 15708, 2608, 341}. The secret key is b; = 533, 
m, = 2617, b2 = 10175, m2 = 27103. Decipher the message. 
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5 Zero-knowledge protocols and oblivious transfer 


“Zero knowledge” is the name of a cryptographic concept first developed in 
the early 1980’s to deal with the following problem. Suppose someone wants 
to prove that she has figured out how to do something — find a solution 
to an equation, prove a theorem, solve a puzzle — while at the same time 
conveying no knowledge about her proof or solution. Can this ever be done? 
How can you convince someone that you have a solution without exhibiting 
it? The somewhat surprising fact is that in many situations it is possible 
to do this. 

The “prover,” whom we shall call Picara, is the person with the solu- 
tion; the “verifier” Vivales is the one who in the end must become satisfied 
that Picara has a solution, while still not having the foggiest idea of what 
that solution is. 

In this section we shall first give a simple, visual example of a zero- 
knowledge proof which is interactive (i.e., it requires communication back 
and forth between Picara and Vivales). This example concerns map coloring 
and does not use number theory. Then we give a second example: how to 
prove that you have found a discrete logarithm without helping the verifier 
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to know what it is. We next discuss a concept called “oblivious transfer,” 
with which one can construct noninteractive zero-knowledge proofs. Finally, 
we use oblivious transfer to give a zero-knowledge proof of factorization. 

Map coloring. Our first example is the following. It is now known that 
any planar map can be colored with 4 colors. Some maps can be colored 
with 3 colors and others cannot. Suppose Picara is given a complicated 
map, which after much effort she is able to find a way of coloring with only 
3 colors (red, blue, green). How can she convince Vivales that she has done 
this, without giving him a clue that would help him color the map? 

We first translate this problem into the language of graphs. 

Definition. A graph is a set V, whose elements are called “vertices,” 
and a subset E of the set of all (unordered) pairs of elements of V. The 
elements of E are called “edges.” An “edge” e = {u,v}, where u,v € V, 
should be visualized as a line joining the vertices u and v. 

Definition. We say that a graph is colorable by the colors r, b, g, if 
there exists a function f : V — {r,b, g} such that no vertices joined by an 
edge have the same color, i.e., {u,v} € FE => f(u) ¥ f(v). 

The 3-colorability problem consists in determining, given a graph, 
whether or not it is colorable by r, b, g. 

To translate the map-coloring problem to a graph-coloring problem, 
simply take V to be the set of countries (visualized now as points), and 
“connect” two countries with an edge if and only if they have a common 
boundary. 

The 3-colorability problem has two nice properties which make it a 
convenient choice for discussions of many questions: (1) it is easy to visu- 
alize; and (2) it is NP-complete (see the discussion of the knapsack in §4). 
The NP-completeness property implies that, if you have a zero-knowledge 
verification of 3-colorability, then you can get a zero-knowledge verification 
for any NP-problem by “reducing” it to 3-colorability. 

However, this does not mean that, once a zero-knowledge verifica- 
tion has been constructed for a certain NP-complete problem P, (say, 3- 
colorability), it is then superfluous to construct a zero-knowledge proof for 
another NP-problem P2. On the contrary, in the process of reducing P, to 
P,, one generally increases the size of the input data substantially. Thus, a 
much more efficient zero-knowledge verification is likely to result by working 
directly with P2 rather than by reducing P> to P; and then using the earlier 
verification of P,. For example, we shall later give a direct zero-knowledge 
proof of possession of a discrete logarithm. It would be inefficient in the ex- 
treme to construct such a zero-knowledge proof by first reducing possession 
of a discrete log to 3-colorability of some graph. 

Zero-knowledge proof of 3-colorability. Suppose that Picara is given a 
graph. We shall visualize the vertices as small balls containing little colored 
lights and joined by bars wherever there is an edge. The light in each vertex 
can flash either red, blue or green. Picara has (1) a device A which sets each 
vertex to flash whichever of the three colors she chooses, and (2) a device B 
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which, whenever a button is pushed, chooses a random permutation of the 
three colors and then resets each vertex according to the permutation. For 
example, if the device B chooses the transposition of red and blue, then it 
goes to all vertices with blue lights, switches them to red lights, goes to all 
vertices with red lights, switches them to blue lights, and leaves the vertices 
with green lights alone. Vivales has no control over the device B and does 
not even know which permutations it generates. 

We further suppose that the lights inside the vertex balls are hidden 
from view. However, whenever someone grabs onto the bar connecting two 
vertices, the lights in those two vertices (and no others) become visible. 

Now Picara has figured out a 3-coloring of the graph, and uses the 
device A to set the vertices with the corresponding colors. Here is the 
procedure used to convince Vivales that she has been successful in doing 
this: 

1. Vivales is allowed to grab any one of the edge-bars, revealing the colors 

of the two vertices at each end. He will see that those two vertices have 

different colors, thereby giving a little bit of evidence that Picara has a 

valid coloring (recall that “valid” means that no two adjacent vertices 

have the same color). 

Next, Picara pushes the button on B, permuting the colors. 

Vivales may then grab another edge-bar. 

4. Picara and Vivales repeat steps #2 and #3 in alternation, until Vivales 
has tested all the bars (or, if he insists, until he has tested all the 
bars several times — perhaps he suspects that Picara has cheated by 
resetting the vertices on a bar that was tested earlier). 

After a little thought, two things should be clear: (1) If Picara has 
really not been able to 3-color the graph, she won’t be able to fool Vivales 
— eventually step #3 will reveal adjacent vertices of the same color. (2) 
Because of the random permutations of the colors, Vivales learns nothing 
about the coloring, except for the fact that Picara has been successful. That 
is, if he, too, now wants to 3-color the graph, it will be just as hard for him 
to 3-color it after going through steps #1—-4 above as it would have been 
before. 

To prove the claim that Vivales has learned nothing about the coloring, 
one argues as follows. Suppose that a third person, Clyde, does not know 
how to 3-color the graph but does know in advance which edge-bar Vivales 
will grab. Then Clyde could produce the exact same result as Picara, i.e., 
the information Vivales receives from Clyde is indistinguishable from what 
Picara would have given him. But Clyde could hardly be conveying anything 
useful about 3-coloring the graph, since he himself does not know a 3- 
coloring. We say that Clyde “simulates” the role of Picara. This argument 
by simulation is the standard way to show that a certain protocol is really 
a zero-knowledge proof. 

Zero-knowledge proof of having found a discrete logarithm. As in §3, 
suppose that G is a finite group containing N elements (whose group oper- 


wr 
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ation will be written multiplicatively), b is a fixed element of G, and y is an 

element of G for which Picara has found a discrete logarithm to the base b, 

ie., she has solved the equation b* = y for a positive integer +. She wants 

to demonstrate to Vivales that she knows z without giving him a clue as to 
what z is. We first suppose that Vivales knows the order N of the group. 

Here is the sequence of steps performed by the two of them: 

1. Picara generates a random positive integer e < N, and sends Vivales 
b’ = be. 

2. Vivales flips a coin. If it comes up heads, Picara must reveal e, and 
Vivales checks that in fact b’ is b°. 

3. If the coin comes up tails, then Picara must reveal the least positive 
residue of x + e modulo N; at which point Vivales checks that yb’ = 
pete, 

4. Steps #1-3 are repeated until Vivales is convinced that Picara must 
know the value z of the discrete logarithm. 

Notice that if Picara does not know the value z of the discrete log, 
then she will not be able to respond to more than one possible result of 
the coin toss. If she has performed step (1) as she was supposed to, then 
she can respond to heads — but not to tails — without knowing z. On the 
other hand, if she anticipates tails and so in step (1) decides to send Vivales 
b’ = b°/y (so that in step (3) she can send him simply e instead of x + e), 
then she will be in a jam if the coin comes up heads (since she does not 
know the power of b that gives b’). 

Further notice that the zero-knowledge property of this protocol can 
be proved by a simulation argument. Namely, suppose that Clyde does not 
know the discrete log of y to the base 6 but does know in advance how the 
coin toss will go. Then Clyde can simulate the same steps as Picara (by 
sending b’ = b° for heads and b’ = b°/y for tails), giving Vivales information 
that is indistinguishable from what Picara would have given him. Clyde 
cannot be telling Vivales anything useful for finding the discrete log, since 
he himself has no idea what the discrete log is. 

In the exercises we will examine the situation when Vivales does not 
know N. For example, suppose that he knows that G = (Z/MZ)*, but he 
does not know the factorization of M. (Recall that if M is a product of two 
primes, then knowing its factorization is equivalent to knowing N = y(M), 
see §I.3.) Then ideally Picara (or the simulator Clyde), who uses the value 
of N in step (1), must avoid conveying to Vivales any information about N 
(or else we don’t really have a “zero knowledge” proof). This might seem to 
be too much to ask for, but one can insist that no more than a very small 
amount of information be conveyed. 

Oblivious transfer. An “oblivious transfer channel” from Picara to Vi- 
vales is a system for Picara to send Vivales two encrypted packets of infor- 
mation subject to the following conditions: 

1. Vivales can decipher and read exactly one of the two packets; 

2. Picara does not know which of the two packets he can read; and 
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3. both Picara and Vivales are certain that conditions (1) and (2) hold. 

At first glance, this might seem like an odd thing to want. However, 
such a channel turns out to be a fundamental concept in cryptography. 
We shall soon see how it can be used to construct a non-interactive zero- 
knowledge proof. But before discussing this application to zero knowledge, 
we describe one way to obtain an oblivious transfer channel, based on the 
intractability of the discrete log problem. 

More precisely, we suppose that we have a large finite field F, and 
a fixed element 6 of the multiplicative group Fj such that, given b* and 
bY, there is no computationally feasible way to find b*¥. This is the Diffie— 
Hellman assumption, which conjecturally holds if the discrete logarithm 
problem is intractable in Fj (see §3). 

We further suppose that we have an easily computed (and easily in- 
verted) map w from our finite field to the F2-vector space F? of n-tuples 
of bits. Suppose that the image of this map contains all of F3~’ (i.e., all 
n-tuples whose last bit is 0). For example, if q is a prime p, then we can 
choose n so that 2"—! < p < 2", and map any element of F, — i.e., any 
nonnegative integer less than p — to its sequence of binary digits. 

We suppose that our message units are also n-tuples of bits, i.e., ele- 
ments m € F}. We finally suppose that an element C € F%, fixed once and 
for all, has been chosen so that no one knows its discrete logarithm. (Recall 
that we have assumed that the discrete log problem is intractable in F;.) 
This element C' might have been supplied by a “trusted Center,” or by an 
agreed upon random procedure, or by an interactive construction in which 
both Picara and Vivales participated. 

The oblivious transfer proceeds as follows. Vivales chooses a random 
integer z, 0 < x < q—1, and also a random element i € {1,2}. In what 
follows both z and i denote fixed integers in the range {1,...,q — 2} and 
{1, 2}, respectively. Vivales sets 8; = b* and @3_; = C/b*. He then publishes 
his “public key” (G1, 2), while keeping x and i secret. Notice that Vivales 
is assumed not to know the discrete logarithm of 63_; — which we shall 
denote x’ — because if he did, then he would know the discrete log of 
C = £;63_;, contrary to assumption. 

Now suppose that Picara has a message unit m; € F} from the first 
packet and a message unit m2 € Ff from the second packet. She chooses 
two random integers 0 < y1, y2 < q—1, and sends to Vivales the following 
two elements of Fj and two elements of F}: 


bY BY; a, =m, + 9(6"), ag = me +: (3?). 


(Here addition is in the F2-vector space F?; this addition operation is also 
known as “exclusive or.”) Picara keeps y; and ye secret. 

Since 6%* = (b%)”, and Vivales knows both 6% and z, he can easily 
determine 7(G?"), and hence find m; = a; + p(G%*). However, if he wanted 
to find m3_;, he would have to find 63°;' = b*'¥3-+ knowing only b¥-* and 
b?’ but not y3—; or x’. This is impossible, by the Diffie-Hellman assumption. 
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Notice that Picara can easily check that 3,382 = C, and thus be sure 
that Vivales does not know the discrete logs of both elements of his public 
key ((1, 62). Since it is in Vivales’ interest to get as much information as 
possible, Picara can be sure that he does know the discrete log of one of the 
two elements. But there is no way Picara can distinguish between (3, and 
(2 for the purpose of determining which Vivales obtained as 6” and which 
as C/b*. Thus, both Vivales and Picara can be confident that the above 
conditions (1) and (2) are fulfilled. 

If a sequence of pairs (m1,mz) are sent using the same ((1, 2) (i.e., 
the same values of x and i), then Picara does know that the element of the 
pair (m1, m2) that Vivales is deciphering (namely, m;) remains the same for 
all pairs of message units in the sequence. If we want another sequence of 
message units to be sent independently, then Vivales must randomly select 
new values for x and i, and send a new public key ((, (2). 

Use of oblivious transfer for a non-interactive proof of factorization. 
The idea conveyed by the term “non-interactive” can be summarized in the 
form of a diagram 

Center 


vA \ 
Picara — Vivales 


Here the “trusted Center” can be thought of as a source of random bits, 
which are sent simultaneously to Picara and Vivales (it is permissible for 
the Center first to perform some arithmetic operations on the bits before 
sending them). The combination of these bits and Picara’s reaction to them 
— what she sends Vivales — must be enough to convince Vivales (with an 
exponentially decreasing chance that he’s being fooled) that she did what 
she claims to have done. 

The “non-interaction” means that in the course of the proof Vivales 
does not communicate to Picara. However, it is permitted that at the very 
beginning Picara has been given a long sequence of oblivious transfer pub- 
lic keys (31, G2) for Vivales, as described above. This is not counted as a 
communication from Vivales to Picara. In fact, the same public keys are 
available, as the word “public” suggests, for anyone to use who’s playing 
the role of Picara. And Picara can use the same sequence of public keys in 
many different zero-knowledge proofs she sends to Vivales. 

We now describe the procedure that Picara uses to convince Vivales 
that she can factor an integer n = pq without giving him any information 
about what its factors might be. We will use the fact that the ability to 
take the square root modulo n = pq of an arbitrary number that has a 
square root is equivalent to knowledge of p and q (see Exercise 5 below). 
The procedure is as follows: 

1. The Center randomly generates an integer x, and sends Picara and 

Vivales the least nonnegative residue of x? modulo n; let us denote y 

= z* mod n. 
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Picara finds the four square roots of y modulo ‘n, namely, +z, +2’. She 
arbitrarily chooses x9 to be one of these four square roots. 

Picara randomly picks an integer r and sends Vivales the integer s = 
r2 mod n. She sets m, = r mod n, m2 = ror mod n, and sends these 
two messages to Vivales by oblivious transfer. 

Vivales is able to read exactly one of the two messages. He checks that 
its square modulo n is s (if his random i is 1) or ys (if i = 2). 

Steps 1-4 are repeated (with different public keys (31, 32)). If Picara 
meets the test T times, then Vivales is satisfied (with certainty 1-2-7) 
that Picara really knows the factorization. 


Exercises 


1. 


In the zero-knowledge proof of possession of a discrete logarithm, if 
Picara does not really know the discrete log, then what are the odds 
against her successfully fooling Vivales for T repetitions of steps (1)- 
(3)? 

In the zero-knowledge proof of possession of a discrete logarithm, sup- 
pose that Vivales does not know the value of N. 

(a) Explain how the protocol described in the text is not really “zero 
knowledge.” 

(b) How could Picara decrease the amount of information Vivales ob- 
tains about the magnitude of N? 

Suppose that Picara does not know N, and so in step (1) she chooses 
a random e in some other range (e.g., e < B, where B is an upper 
bound for the possible value of N), and in step (3) she sends simply 
x+e rather than the least positive residue of x +e modulo N. Explain 
why this is not a zero-knowledge proof. Why is the procedure followed 
by Clyde not a valid simulation? 

Explain how the zero-knowledge proof in the text for possession of a 
discrete logarithm can be used for public key electronic identification. 
(This means that Picara convinces Vivales that she really is Picara.) 
Explain why being able to extract square roots modulo n = pq is 
essentially equivalent to knowing the factorization of n. 

Can the same public key (G1, G2) for oblivious transfer be used by sev- 
eral different people to give Vivales zero-knowledge proofs that they all 
independently know the same factorization? Assume that each person 
can eavesdrop on the transmissions of the others. 

Using oblivious transfer, construct a non-interactive zero-knowledge 
proof for possession of a discrete logarithm. (Suppose that the order 
N of the group is known to everyone.) 

The following scheme was recently proposed as a zero-knowledge pro- 
tocol for Picara to use in order to demonstrate to Vivales that she 
knows the factors p and q of an integer n, where n is known to be a 
product of two primes that are = 3 (mod 4). Find a basic flaw in the 
scheme. 
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Step 1. Vivales, who knows n, but not p and q, chooses an integer z 
at random. He computes the least nonnegative residue of x4 modulo 
n, and sends this number — which we denote y — to Picara. 

Step 2. When Picara receives y, she computes a square root modulo 
n (which is easy, since she knows the factorization of n; see Exercise 5 
above). Of the four possible square roots, she chooses the unique one 
which is a quadratic residue modulo both p and q. This must be the 
least positive residue of z? modulo n. She sends this integer to Vivales. 
Step 3. Vivales checks that the number he received from Picara is in 
fact the residue of z? modulo n. He is then convinced that she can take 
square roots modulo n, something that would have been impossible if 
she didn’t know the factors of n. 

Find the drawback of the following procedure for a zero-knowledge 
proof of factorization. Suppose that n is the product of two primes p 
and gq. Suppose that a “trusted Center” supplies an unending sequence 
of random squares modulo n, as in the text: y1, y2,.... For each of the 
successive y;, Picara finds one of its square roots z;, and sends it to 
Vivales, who verifies that 2? = y (mod n). 
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V 


Primality and Factoring 


There are many situations where one wants to know if a large number n 
is prime. For example, in the RSA public key cryptosystem and in various 
cryptosystems based on the discrete log problem in finite fields, we need to 
find a large “random” prime. One interpretation of what this means is to 
choose a large odd integer np using a generator of random digits and then 
test no, No + 2, ... for primality until we obtain the first prime which is 
> no. A second type of use of primality testing is to determine whether an 
integer of a certain very special type is a prime. For example, for some large 
prime f we might want to know whether 2/ — 1 is a Mersenne prime. If 
we’re working in the field of 2f elements, we saw that every element # 0, 1 
is a generator of F3, if (and only if) 2/ — 1 is prime (see Ex.13(a) of §II.1). 

A primality test is a criterion for a number n not to be prime. If n 
“passes” a primality test, then it may be prime. If it passes a whole lot 
of primality tests, then it is very likely to be prime. On the other hand, if 
n fails any single primality test, then it is definitely composite. But that 
leaves us with a very difficult problem: finding the prime factors of n. In 
general, it is much more time-consuming to factor a large number once it 
is known to be composite (because it fails a primality test) than it is to 
find a prime number of the same order of magnitude. (This is an empirical 
statement, not a theorem; no assertion of this sort has been proved.) The 
security of the RSA cryptosystem is based on the assumption that it is 
much easier for someone to find two extremely large primes p and gq than it 
is for someone else, knowing n = pq but not p or q, to find the two factors 
in n. After discussing primality tests in §1, we shall describe three different 
factorization methods in §§2-5. 
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1 Pseudoprimes 


Have you ever noticed that there’s no attempt being made to 
find really large numbers that aren’t prime? I mean, wouldn’t you 
like to see a news report that says “Today the Department of 
Computer Sciences at the University of Washington announced 
that 2°8:111,625,031 + g is even. This is the largest non-prime yet 
reported.” 


— bathroom graffiti, University of Washington 


Un phénoméne dont la probabilité est 10-°° ne se produira donc 
jamais, ou du moins ne sera jamais observé. 


— Emile Borel, Les Probabilités et la vie 


Let n be a large odd integer, and suppose that you want to determine 
whether or not n is prime. The simplest primality test is “trial division.” 
This means that you take an odd integer m and see whether or not it 
divides n. If m # 1, n and mJn, then n is composite; otherwise, n passes 
the primality test “trial division by m.” As m runs through the odd numbers 
starting with 3, if n passes all of the trial division tests, then it becomes 
more and more likely that n is prime. We know for sure that n is prime 
when m reaches \/n. Of course, this is an extremely time-consuming way 
to test whether or not n is prime. The other tests described in this section 
are much quicker. 

Most of the efficient primality tests that are known are similar in gen- 
eral form to the following one. 

According to Fermat’s Little Theorem, we know that, if n is prime, 
then for any 6 such that g.c.d.(b,n) = 1 one has 


b"-! =1 mod n. (1) 


If n is not prime, it is still possible (but probably not very likely) that (1) 
holds. 

Definition. If n is an odd composite number and b is an integer such 
that g.c.d.(n,b) = 1 and (1) holds, then n is called a pseudoprime to the 
base b. 

In other words, a “pseudoprime” is a number n that “pretends” to be 
prime by passing the test (1). 

Example 1. The number n = 91 is a pseudoprime to the base b = 3, 
because 39° = 1 mod 91. However, 91 is not a pseudoprime to the base 2, 
because 29° = 64 mod 91. If we hadn’t already known that 91 is composite, 
the fact that 29° 4 1 mod 91 would tell us that it is. 

Proposition V.1.1. Let n be an odd composite integer. 

(a) n is a pseudoprime to the base b, where g.c.d.(b,n) = 1, if and only if 
the order of b in (Z/nZ)* (i.e, the least positive power of b which is 

=1 mod n) divides n — 1. 
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(b) If n is a pseudoprime to the bases b, and bz (where g.c.d.(bi,n) = 
= g.c.d.(b2,n) = 1), then n is a pseudoprime to the base b,b2 and also 
to the base bby A (where b, isan integer which is inverse to bz modulo 

(c) Ifn fails the test (1) for a single base b € (Z/nZ)*, then n fails (1) for 
at least half of the possible bases b € (Z/nZ)*. 

Proof. Parts (a) and (b) are very easy, and will be left to the reader. 
To prove (c), let {b:,b2,...,b0s} be the set of all bases for which n is a 
pseudoprime, i.e., the set of all integers 0 < b; < n for which the congruence 
(1) holds. Let b be a fixed base for which n is not a pseudoprime. If n were 
a pseudoprime for any of the bases bb;, then, by part (b), it would be a 
pseudoprime for the base b = (bb;)b; 1 mod n, which is not the case. Thus, 
for the s distinct residues {bb;, bbo,...,bb,} the integer n fails the test (1). 
Hence, there are at least as many bases in (Z/nZ)* for which n fails to be 
a pseudoprime as there are bases for which (1) holds. This completes the 
proof. 

Thus, unless n happens to pass the test (1) for all possible b with 
g.c.d.(b,n) = 1, we have at least a 50% chance that n will fail (1) for a 
randomly chosen b. That is, suppose we want to know if a large odd integer 
n is prime. We might choose a random 0 in the range 0 < b < n. We first 
find d = g.c.d.(b, n) using the Euclidean algorithm. If d > 1, we know that n 
is not prime, and in fact we have found a nontrivial factor d|n. If d = 1, then 
we raise b to the (n — 1)-st power (using the repeated squaring method of 
modular exponentiation, see § 1.3). If (1) fails, we know that n is composite. 
If (1) holds, we have some evidence that perhaps n is prime. We then try 
another b and go through the same process. If (1) fails for any b, then we 
can stop, secure in the knowledge that n is composite. Suppose that we try 
k different b’s and find that n is a pseudoprime for all of the k bases. By 
Proposition V.1.1, the chance that n is still composite despite passing the 
k tests is at most 1 out of 2", unless n happens to have the very special 
property that (1) holds for every single b € (Z/nZ)*. If k is large, we can be 
sure “with a high probability” that n is prime (unless n has the property of 
being a pseudoprime for all bases). This method of finding prime numbers 
is called a probabilistic method. It differs from a deterministic method: the 
word “deterministic” means that the method will either reveal n to be 
composite or else determine with 100% certainty that n is prime. 

Can it ever happen for a composite n that (1) holds for every b? In that 
case our probabilistic method fails to reveal the fact that n is composite 
(unless we are lucky and hit upon a b with g.c.d.(b,n) > 1). The answer is 
yes, and such a number is called a Carmichael number. 

Definition. A Carmichael number is a composite integer n such that 
(1) holds for every b € (Z/nZ)*. 

Proposition V.1.2. Let n be an odd composite integer. 

(a) If n is divisible by a perfect square > 1, then n is not a Carmichael 
number. 
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(b) If n is square free, then n is a Carmichael number if and only if 

p—1|n—1 for every prime p dividing n. 

Proof. (a) Suppose that p*|n. Let g be a generator modulo p%, i.e., an 
integer such that g?‘?—)) is the lowest power of g which is = 1 mod p?. Ac- 
cording to Exercise 2 of §II.1, such a g always exists. Let n’ be the product 
of all primes other than p which divide n. By the Chinese Remainder Theo- 
rem, there is an integer b satisfying the two congruences: b = g mod p” and 
b=1 mod n’. Then 6 is, like g, a generator modulo p?, and it also satisfies 
g.c.d.(b,n) = 1, since it is not divisible by p or by any prime which divides 
n’'. We claim that n is not a pseudoprime to the base b. To see this, we notice 
that if (1) holds, then, since p?|n, we automatically have b”-! = 1 mod p* 
But in that case p(p — 1)|n — 1, since p(p — 1) is the order of b modulo p* 
However, n — 1 = —1 mod p, since p|n, and this means that n — 1 is not 
divisible by p(p — 1). This contradiction proves that there is a base b for 
which n fails to be a pseudoprime. 

(b) First suppose that p— 1|n — 1 for every p dividing n. Let b be any 
base, where g.c.d.(b,n) = 1. Then for every prime p dividing n we have: 
b"—! is a power of b?—}, and so is = 1 mod p. Thus, b"~1—1 is divisible by all 
of the prime factors p of n, and hence by their product, which is n. Hence, 
(1) holds for all bases b. Conversely, suppose that there is a p such that 
p —1 does not divide n — 1. Let g be an integer which generates (Z/pZ)*. 
As in the proof of part (a), find an integer b which satisfies: b = g mod p 
and b = 1 mod n/p. Then g.c.d.(b,n) = 1, and b"-! = g""! mod p. But 
g” is not = 1 mod p, because n — 1 is not divisible by the order p — 1 
of g. Hence, b"-! # 1 mod p, and so (1) cannot hold. This completes the 
proof of the proposition. 

Example 2. n = 561 = 3-11-17 is a Carmichael number, since 560 is 
divisible by 3 — 1, 11 — 1 and 17 — 1. In the exercises we shall see that this 
is the smallest Carmichael number. 

Proposition V.1.3. A Carmichael number must be the product of at 
least three distinct primes. 

Proof. By Proposition V.1.2, we know that a Carmichael number must 
be a product of distinct primes. So it remains to rule out the possibility that 
n = pq is the product of two distinct primes. Suppose that p < qg. Then, if 
n were a Carmichael number, we would have n — 1 = 0 mod q —1, by part 
(b) of Proposition V.1.2. But n-—1=p(q—1+1)-1=p-—1modq-1, 
and this is not = 0 mod q — 1, since 0 < p— 1 < q—1. This concludes the 
proof. 

Remark. It was only very recently that it was proved (by Alford, 
Granville, and Pomerance) that there exist infinitely many Carmichael 
numbers. See Granville’s report in Notices of the Amer. Math. Soc. 39 
(1992), 696-700. 

Euler pseudoprimes. Let n be an odd integer, and let (2) denote the 
Jacobi symbol (see §II.2). According to Proposition II.2.2, if n is a prime 
number, then 
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pen? = (<) mod n (2) 


for any integer b. On the other hand, if n is composite, then Exercise 21 of 
§ 11.2 shows that at least 50% of all b € (Z/nZ)* fail to satisfy (2). From 
these two facts we can obtain an efficient probabilistic test for whether or 
not a large odd integer n is prime. We start with the following definition. 

Definition. If n is an odd composite number and b is an integer such 
that g.c.d.(n,b) = 1 and (2) holds, then n is called an Euler pseudoprime 
to the base b. 

Proposition V.1.4. If n is an Euler pseudoprime to the base b, then it 
is a pseudoprime to the base b. 

Proof. We must show that, if (2) holds, then (1) holds. But this is 
obvious by squaring both sides of the congruence (2). 

Example 3. The converse of Proposition V.1.4 is false. For example, 
in Example 1 we saw that 91 is a pseudoprime to the base 3. However, 
345 = 27 mod 91, so (2) does not hold for n = 91, b = 3. (Note that it 
is easy to raise b to a large power modulo 91 if we know the order of b in 
(Z/91Z)*; since 3° = 1 mod 91, we immediately see that 34° = 3° mod 91.) 
An example of a base to which 91 is an Euler pseudoprime is 10, since 
104 = 10° = —-1 mod 91, and (42) = —1. 

Example 4. It is easy to see that any odd composite n is an Euler 
pseudoprime to the base +1; in what follows we shall rule out these two 
“trivial” bases b. 

We can now describe the Solovay—Strassen primality test. Suppose that 
n is a positive odd integer, and we would like to know whether n is prime 
or composite. Choose k integers 0 < b < n at random. For each 5, first 
compute both sides of (2). Finding the left side b(°-1)/? takes O(log?n) bit 
operations, using the repeated squaring method (Proposition 1.3.6); finding 
the Jacobi symbol on the right also takes O(log*n) bit operations (see 
Exercise 17 of § 11.2). If the two sides are not congruent modulo n, then you 
know that n is composite, and the test stops. Otherwise, move on to the 
next b. If (2) holds for all k random choices of b, then the probability that 
n is composite despite passing all of the tests is at most 1/2" Thus, the 
Solovay-Strassen test is a probabilistic algorithm which leads either to the 
conclusion that n is composite or to the conclusion that it is “probably” 
prime. 

Notice that there are no Euler pseudoprime analogs of Carmichael 
numbers: for any composite n, the test (2) fails for at least half of the 
possible bases 6. 

Strong pseudoprimes. We now discuss one more type of primality test, 
which is in one respect even better than the Solovay—Strassen test based on 
the definition of an Euler pseudoprime. This is the Miller—-Rabin test, which 
is based on the notion of a “strong pseudoprime,” which will be defined 
below. Suppose that n is a large positive odd integer, and b € (Z/nZ)*. 
Suppose that n is a pseudoprime to the base b, ie., b°-! = 1 mod n. 
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The idea behind the strong pseudoprime criterion is that, if we succes- 
sively “extract square roots” of this congruence, i.e., if we raise b to the 
((n — 1)/2)-th, ((n — 1)/4)-th,..., ((n — 1)/2°)-th powers (where t = 
(n — 1)/2° is odd), then the first residue class we get other than 1 must 
be —1 if n is prime, because +1 are the only square roots of 1 modulo a 
prime number. Actually, in practice one proceeds in the other direction, 
setting n — 1 = 2°%t with ¢ odd, then computing b’ mod n, then (if that 
is not = 1 mod n) squaring to get b** mod n, then squaring again to get 
bt mod n, etc., until we first obtain the residue 1; then the step before 
getting 1 we must have had —1, or else we know that n is composite. 

Definition. Let n be an odd composite number, and write n — 1 = 2°¢ 
with t odd. Let 6 € (Z/nZ)*. If n and 6 satisfy the condition 


either b' =1 modn_ or 
there exists r, 0 <r <s, such that b? * = —1 mod n, (3) 


then n is called a strong pseudoprime to the base b. 

Proposition V.1.5. If n = 3 mod 4, then n is a strong pseudoprime to 
the base b if and only if it is an Euler pseudoprime to the base b. 

Proof. Since in this case s = 1 and t = (n — 1)/2, we see that n is 
a strong pseudoprime to the base b if and only if b(°-))/? = +1 mod n. 
If n is an Euler pseudoprime, then this congruence holds, by definition. 
Conversely, suppose that b(*-!)/2 = +1. We must show that the +1 on the 
right is (2). But for n = 3 mod 4 we have +1 = (+4), and so 


(2) = ee) s a) = b"-)/2 mod n, 


n n n 
as required. The next two important propositions are somewhat harder to 
prove. 

Proposition V.1.6. If n is a strong pseudoprime to the base b, then it 
is an Euler pseudoprime to the base b. 

Proposition V.1.7. If n is an odd composite integer, then n is a strong 
pseudoprime to the base b for at most 25% of allOQ<b<n. 

Remark. The converse of Proposition V.1.6 is not true, in general, as 
we shall see in the exercises below. 

Before proving these two propositions, we describe the Miller-Rabin 
primality test. Suppose we want to determine whether a large positive odd 
integer n is prime or composite. We write n—1 = 2%t with t odd, and choose 
a random integer b, 0 < b < n. First we compute b’ mod n. If we get +1, 
we conclude that n passes the test (3) for our particular b, and we go on to 
another random choice of b. Otherwise, we square 6‘ modulo n, then square 
that modulo n, and so on, until we get —1. If we get —1, then n passes the 
test. However, if we never obtain —1, i.e., if we reach b""" = 1 mod n while 
b?” # -1 mod n, then n fails the test and we know that n is composite. If 
n passes the test (3) for all our random choices of b — suppose we try k 
different bases b — then we know by Proposition V.1.7 that n has at most a 
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1 out of 4* chance of being composite. This is because, if n is composite, then 
at most 1/4 of the bases 0 < b < n satisfy (3). Notice that this is somewhat 
better than for the Solovay-Strassen test, where the analogous estimate 
is a 1 out of 2* chance (because there exist composite n which are Euler 
pseudoprimes for half of all bases 0 < b < n, as we shall see in the exercises). 

We now proceed to the proofs of Propositions V.1.6 and V.1.7. 

Proof of Proposition V.1.6. We have n and b satisfying (3). We must 
prove that they satisfy (2). Let n — 1 = 2%t with t odd. 

Case (i). First suppose that 6‘ = 1 mod n. Then the left side of (2) is 
clearly 1. We must show that (£) = 1. But 1 = (4) = (=) = (2)* Since t 
is odd, this means that (2) =1. 

Case (ii). Next suppose that b(°-))/2 = —1 mod n. Then we must show 
that (4) = —1. Let p be any of the prime divisors of n. We write p — 1 in 
the form p — 1 = 2°'t' with t/ odd, and we prove the following claim: 

Claim. We have s' > s, and 


2) a if s' =s; 
D 1, ifs'>s. 

Proof of the claim. Because ey 2 = pt = -1 mod n, raising 
both sides to the t’ power gives (b?” *)* = —1 mod n. Since p|n, the same 
congruence holds modulo p. But if we had s’ < s, this would mean that 
b?° t' could not be = 1 mod p, as it must be by Fermat’s Little Theorem. 
Thus, s’ > s. If s’ = s, then the congruence (b?" * )* = —1 mod p implies 
that (2) = p(P-1)/2 — 42" ~"t’ mod p must be —1 rather than 1. On the 


other hand, if s’ > s, then the same congruence raised to the (2° ~*)-th 
power implies that (2) must be 1 rather than —1. This proves the claim. 

We now return to the proof of Proposition V.1.6 in Case (ii). We write 
n as a product of primes (not necessarily distinct): n = [| p. Let k denote 
the number of primes p such that s’ = s when one writes p— 1 = 2°'t! with 
U odd. (k counts such a prime p with its multiplicity, i.e., a times if p%||n.) 
According to the claim, we always have s’ > s, and (2) = TI(2) = (-1)- 
On the other hand, working modulo 2°+1, we see that p = 1 unless p is one 
of the k primes for which s’ = s, in which case p = 1+2°. Since n = 1+2°t = 
1 + 2° mod 2°+}, we have 1 + 2° = [[p = (1+ 2°)* = 14 k2® mod 25+! 
(where the last step follows by the binomial expansion). This means that k 
must be odd, and hence (2) = (—1)* = —1, as was to be proved. 

Case (iii). Finally, suppose that 2” 't = —1 mod n for some 0 <r < s. 
(We are using r —1 in place of the r in (3).) Since then b(°-)/2 = 1 mod n, 
we must show that in Case (iii) we have (2) = 1. Again let p be any prime 
divisor of n, and write p — 1 = 2° t' with t’ odd. 

Claim. We have s’ > r, and 


Ge cas 
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The proof of this claim is identical to the proof of the claim in Case 
(ii). 

To prove the proposition in Case (iii), we let k denote the number of 
primes p (not necessarily distinct) in the product n = [|p for which the 
first alternative holds, i.e., s’ = r. Then, as in Case (ii), we obviously have 
(2) = (-1)* On the other hand, since n = 1 + 2°t = 1 mod 2"+? and also 
n = [[ p= (1+2")* mod 2"*}, it follows that k must be even, i.e., (2) =1. 
This concludes the proof of Proposition V.1.6. 

Before proving Proposition V.1.7, we prove a general lemma about the 
number of solutions to the equation z* = 1 in a “cyclic group” containing m 
elements. We already encountered this lemma once at the beginning of § II.2; 
the proof of the lemma should be compared to the proof of Proposition 
11.2.1. 

Lemma 1. Let d = g.c.d.(k,m). Then there are exactly d elements in 
the group {g,97,9°,...,9 =1} which satisfy z* = 1. 

Proof. An element 9 satisfies the equation if and only if 9/* = 1, ie., 
if and only if m|jk. This is equivalent to: | jk, which, since m/d and k/d 
are relatively prime, is equivalent to: j is a multiple of m/d. There are d 
such values of 7, 1 < 7 < m. This proves the lemma. 

We need one more lemma, which has a proof similar to that of Lemma 
1. 

Lemma 2. Let p be an odd prime, and write p — 1 = 2°'t! with t! odd. 
Then the number of x € (Z/pZ)* which satisfy x?" = —1 mod p (where t 
is odd) is equal to 0 if r > s’ and is equal to 2"g.c.d.(t,t’) ifr < s’. 

Proof. We let g be a generator of (Z/pZ)*, and we write x in the form 
g) with 0 <j < p—1. Since g~)/? = —1 mod p and p— 1 = 2°'t’, the 
congruence in the lemma is equivalent to: 2"tj = 2°14’ mod 2°'t’ (with 
j the unknown). Clearly there is no solution if r > s’ — 1. Otherwise, we 
divide out by the g.c.d. of the modulus and the coefficient of the unknown, 
which is 2"d, where d = g.c.d.(t, t’). The resulting congruence has a unique 
solution modulo Brett and it has 27d solutions modulo 2° t! , as Claimed. 
This proves Lemma 2. 

Proof of Proposition V.1.7. Case (i). We first suppose that n is divisible 
by the square of some prime p. Say p®||n, a > 2. We show that in this 
case n cannot even be a pseudoprime (let alone a strong pseudoprime) for 
more than (n — 1)/4 bases b, 0 < b < n. To do this, we suppose that 
b"-1 = 1 mod n, which implies that 6°-! = 1 mod p?, and we find a 
condition modulo p? that 6 must satisfy. Recall that (Z/p?Z)* is a cyclic 
group of order p(p— 1) (see Exercise 2 of §II.1), ie., there exists an integer 
g such that (Z/p?Z)* = {g,97,9°,.-.,g?-)}. According to Lemma 1, 
the number of possibilities for b modulo p? for which b”-! = 1 mod p? is 
d = g.c.d.(p(p — 1),n — 1). Since pln, it follows that p fn — 1, and hence 
p Xd. Thus, the largest d can be is p — 1. Hence, the proportion of all 6 not 
divisible by p* in the range from 0 to n which satisfy b°-! = 1 mod p? is 
less than or equal to 
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Since the proportion of b in the range from 0 to n which satisfy b°-! = 
1 mod n is less than or equal to this, we conclude that n is a pseudoprime to 
the base b for at most 1/4 of the b, 0 < b <n. This proves the proposition 
in Case (i). (Remark: This upper bound of 25% is actually reached in Case 
(i) in the case when n = 9, i.e., 9 is a (strong) pseudoprime for 2 out of the 
8 possible values of b, namely, b = +1.) 

Case (ii). We next suppose that n is the product of 2 distinct primes p 
and q: n = pq. We write p— 1 = 2° t’ with t’ odd and q—1 = 2° t” with t” 
odd. Without loss of generality we may suppose that s’ < s”. In order for 
an element b € (Z/nZ)* to be a base to which n is a strong pseudoprime, 
one of the following must occur: (1) bt = 1 mod p and b' = 1 mod q, or (2) 
b?"t = —1 mod p and b?"* = ~1 mod q for some r, 0 <r < s. According to 
Lemma 1, the number of b for which the first possibility holds is the product 
of g.c.d.(t, t’) (the number of residue classes modulo p) times g.c.d.(t, t’”’) 
(the number of residue classes modulo q), which is certainly no greater than 
t’t”. According to Lemma 2, for each r < min(s’‘,s”) = s’ the number of b 
for which 6?" = —1 mod n is 2"g.c.d.(t,t’) - 2"g.c.d.(t, t”) < 4”t't". Since 
we have n—1> y(n) = 2% +°"t’t”, it follows that the fraction of integers b, 
0 <b<_n, for which n is a strong pseudoprime is at most 


GUE pase! ee eee a 1 
ge tert . (1 wie ) 


If s” > s’, then this is at most 2-?°'-1(2 + 4-) < 2-324 2 = 1 as desired. 
On the other hand, if s’ = s”, then we note that one of the two inequalities 
g.c.d.(t,t') < t', g.c.d.(t,t”) < t” must be a strict inequality, since if we had 
t’|t and t”’|t, we could conclude from the congruence n — 1 = 2°t = pq—1= 
q—1 mod t’ that t/|q—1 = 2°" t”, ie., t/|t", and similarly t’’|t; but this 
would mean that t’ = t” and p = q, a contradiction. Hence one of the two 
g.c.d.’s is strictly less than t’ or t”, and so must be less at least by a factor 
of 3 (since we’re working with odd numbers). Thus, in this case we may 
replace t’t” by dt! t” in the above estimates for the number of 6 satisfying 
each condition for n to be a strong pseudoprime to the base b. This leads 
to the following upper bound for the fraction of integers b, 0 < b < n, for 
which n is a strong pseudoprime: 
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as desired. This completes the proof of the theorem in Case (ii). 

Case (iii). Finally, we suppose that n is a product of more than 2 
distinct primes: n = p)p2:+- pe, k > 3. We write p; — 1 = 2%t; with t; odd, 
and we proceed exactly as in Case (ii). Without loss of generality, we may 
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suppose that s; < s; is the smallest of the s;. We obtain the following upper 
bound for the fraction of possible b’s for which n is a strong pseudoprime: 


gker _ 1 gF22 ohn 
ee | ) < —ks, = 
a 2k 1 <2 Gre ae) 
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because k > 3 in Case (iii). This concludes the proof of Proposition V.1.7. 

Remarks. 1. In fact, in practice one does not have to choose a very 
large number of bases b to be almost sure that n is prime if it is a strong 
pseudoprime to each base b. For example, it has been computed that there 
is only one composite number less than 2.5-10!© — namely, n = 3215031751 
— which is a strong pseudoprime to all four bases 2, 3, 5, 7. 

2. It is not entirely satisfactory to rely upon a probabilistic test. Despite 
Emile Borel’s assurance, quoted at the beginning of the section, it would be 
nice to have rapid methods to prove that a given n really is prime (especially, 
if it is of some special practical or theoretical importance to know that the 
particular n is prime). For example, suppose we knew that there is some 
fairly small B (depending on the size of n) such that, if n is composite, 
then there is some base b < B for which n is not a strong pseudoprime. If 
we knew that, then in order to be absolutely sure that n is prime it would 
suffice to test (3) only for the first B bases. 

There is such a fact, but it depends upon an unproved conjecture 
called the “Generalized Riemann Hypothesis.” The usual Riemann Hy- 
pothesis is the assertion that all complex zeros of the so-called “Riemann 
zeta-function” ¢(s) (which is defined to be the sum of the reciprocal s-th 
powers when s > 1) which lie in the “critical strip” (where the real part of 
s is between 0 and 1) must lie on the “critical line” (where the real part 
of s is 1/2). The Generalized Riemann Hypothesis is the same assertion 
for certain generalizations of ¢(s) called “Dirichlet L-series.” The following 
fact, whose proof is beyond the scope of this book, shows that the Miller— 
Rabin test (3) gives a deterministic primality test which takes polynomial 
time (in logn), provided that one is willing to assume the validity of the 
Generalized Riemann Hypothesis (GRH). 

If the GRH is true, and if n is a composite odd integer, then n fails 
the test (3) for at least one base b less than 2 log?n. 

3. In the 1980’s an efficient deterministic primality test was developed 
which, while strictly speaking not polynomial in logn, in practice can rou- 
tinely prove primality of numbers of over a hundred decimal digits in a 
matter of seconds (on current large computers). This method of Adleman— 
Pomerance-Rumely and Cohen-Lenstra is based on the same ideas as the 
primality tests considered above, except that it uses analogs of Fermat’s 
Little Theorem: in extension fields of the rational numbers. A basic role 
is played by Gauss sums (certain types of which were introduced in §II.2 
in order to prove quadratic reciprocity) and the closely related “Jacobi 
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sums.” A detailed discussion of their method would take us too far afield. 
A thorough and readable account is given in the Cohen-Lenstra article in 
Mathematics of Computation. 


Exercises 


1. 


(a) Find all bases b for which 15 is a pseudoprime. (Do not include the 
trivial bases +1.) 

(b) Find all bases for which 21 is a pseudoprime. 

(c) Prove that there are 36 bases b € (Z/91Z)* (i.e., 50% of the possible 
bases) for which 91 is a pseudoprime. 

(d) Generalizing part (c), show that if p and 2p — 1 are both prime, 
and n = p(2p — 1), then n is a pseudoprime for 50% of the possible 
bases b, namely for all 6 which are quadratic residues modulo 2p — 1. 
Let n be a positive odd composite integer, and let g.c.d.(b,n) = 1. 

(a) Show that if p is a prime divisor of n and we set set n’ = n/p, then 
n is a pseudoprime to the base b only if b”’-1 = 1 mod p. 

(b) Prove that no integer of the form n = 3p (with p > 3 prime) can 
be a pseudoprime to the base 2, 5 or 7. 

(c) Prove that no integer of the form n = 5p (with p > 5 prime) can 
be a pseudoprime to the base 2, 3 or 7. 

(d) Prove that 91 is the smallest pseudoprime to the base 3. 

Show that p* (with p prime) is a pseudoprime to the base 6 if and only 
if b?-1 =1 mod p2 

(a) Find the smallest pseudoprime to the base 5. 

(b) Find the smallest pseudoprime to the base 2. 

Let n = pq be a product of two distinct primes. 

(a) Set d = g.c.d.(p — 1,q — 1). Prove that n is a pseudoprime to the 
base b if and only if b¢ = 1 mod n. In terms of d, how many bases are 
there to which n is a pseudoprime? 

(b) How many bases are there to which n is a pseudoprime if g = 2p+1? 
List all of them (in terms of p). 

(c) For n = 341, what is the probability that a randomly chosen b 
prime to n will be a base to which n is a pseudoprime? 

Show that, if n is a pseudoprime to the base b € (Z/nZ)*, then n is 
also a pseudoprime to the base —b and to the base b—). 

(a) Prove that if n is a pseudoprime to the base 2, then so is N = 2"—1. 
(b) Prove that if n is a pseudoprime to the base 5, and if g.c.d.(b — 
1,n) = 1, then the integer N = (b" — 1)/(b— 1) is a pseudoprime to 
the base b. 

(c) Prove that there are infinitely many pseudoprimes to the base b for 
b= 2, 3, 5. 

(d) Give an example showing that part (b) may be false if we omit the 
condition g.c.d.(b—1,n) =1. 
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8. 


10. 


11. 


12. 


16. 


17. 


18. 


Let 6 be any integer greater than 1, let p be an odd prime not dividing 
b,b—1 or b+1. Set n = (b?? — 1)/(b? — 1). 

(a) Show that n is composite. 

(b) Show that 2p|n — 1. 

(c) Show that n is a pseudoprime to the base b; conclude that for any 
base b there are infinitely many pseudoprimes to the base b. 

(a) Use the test (1) to show that 2047 = 21! — 1 is composite. 

(b) Explain why you should never test whether the Fermat number 
22" +1 or the Mersenne number 2? — 1 is prime by checking (1) with 
b = 2. What about using the test (2) with b = 2? What about using 
(3) with b = 2? 

Suppose that m is a positive integer such that 6m + 1, 12m +1 and 
18m + 1 are all primes. Let n = (6m + 1)(12m + 1)(18m + 1). Prove 
that n is a Carmichael number. Note. It is not known whether there are 
infinitely many Carmichael numbers of the form n = (6m + 1)(12m + 
1)(18m + 1), but heuristic arguments suggest that there are. 

Show that the following are Carmichael numbers: 1105 = 5 - 13 - 17; 
1729 = 7-13-19; 2465 = 5-17-29; 2821 = 7-13-31; 6601 = 7-23-41; 
29341 = 13 - 37-61; 172081 = 7- 13-31-61; 278545 = 5- 17-29-1138. 
(a) Find all Carmichael numbers of the form 3pq (with p and q prime). 
(b) Find all Carmichael numbers of the form 5pq (with p and q prime). 
(c) Prove that for any fixed prime number r, there are only finitely 
many Carmichael numbers of the form rpg (with p and q prime). 
Prove that 561 is the smallest Carmichael number. 

Give an example of a composite number n and a base b such that 
b("-1)/2 = +1 mod n but n is not an Euler pseudoprime to the base b. 
(a) Prove that if n is an Euler pseudoprime to the base b € (Z/nZ)"*, 
shen it is also an Euler pseudoprime to the base —b and to the base 
bh 

(b) Prove that if n is an Euler pseudoprime to the base 6; and to the 
base b2, then it is also an Euler pseudoprime to the base b = 6, bo. 
Let n be of the form p(2p — 1), as in Exercise 1(d). 

(a) Prove that n is an Euler pseudoprime for 25% of all possible bases 
b € (Z/nZ)*. 

(b) Find a class of numbers n of this type such that n is a strong 
pseudoprime for 25% of all possible bases. 

Let n be of the form (6m + 1)(12m + 1)(18m + 1), as in Exercise 10. 
Prove that (a) if m is odd, then n is an Euler pseudoprime for 50% of 
all possible bases b € (Z/nZ)*; and (b) if m is even, then n is an Euler 
pseudoprime for 25% of all possible bases. 

(a) Using the big-O notation, estimate the number of bit operations 
required to perform the Miller—Rabin test on a number n enough times 
so that, if n passes all the tests, it has less than a 1/m chance of being 
composite (here n and m are very large). 
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(b) Assuming the Generalized Riemann Hypothesis, estimate the num- 

ber of bit operations required to perform the Miller—Rabin test on n 

enough times to be sure that, if n passes all the tests, then it is prime. 

19. (a) Prove that, if n is a pseudoprime to the base 2, then N = 2" — 1 is 
a strong pseudoprime and an Euler pseudoprime to the base 2. 

(b) Prove that there are infinitely many strong pseudoprimes and Euler 

pseudoprimes to the base 2. 

20. Prove that, if n is a strong pseudoprime to the base b, then it is a 
strong pseudoprime to the base b* for any integer k. 

21. Let n be the Carmichael number 561. 

(a) Find the number of bases b € (Z/561Z)* for which 561 is an Euler 

pseudoprime. 

(b) Find the number of bases for which 561 is a strong pseudoprime, 

and make a list of them. 

22. Prove that if n is a prime power p*, where a > 1, then n is a strong 
pseudoprime to the base 0 if and only if it is a pseudoprime to the base 
b. 

23. (a) Show that 65 is a strong pseudoprime to the base 8 and to the base 
18, but not to the base 14, which is the product of 8 and 18 modulo 
65. 

(b) For any odd composite integer n, let (*) denote the assertion, 

“Whenever n is a strong pseudoprime to the base b, and to the base 

be it is a strong pseudoprime to the base b = b,b2” (in other words, 

the strong pseudoprime property is preserved under multiplication of 
bases). Prove that (*) holds if and only if n is a prime power or is 

divisible by a prime which is = 3 mod 4. 

24. (a) Prove that, if you find a b such that n is a pseudoprime but not a 
strong pseudoprime to the base b, then you can quickly find a nontrivial 
factor of n. 

(b) Explain how to guard against this when choosing your n = pg in 

the RSA cryptosystem. 

Remark. In many primality tests, if a composite n happens to pass 
some initial test and then fails a subsequent test, one not only learns that 
n is composite, but at the same time one can quickly find a nontrivial 
factor. Exercise 24 is an example of this: if n passes the pseudoprime test 
to the base b and then fails the strong pseudoprime test to the base b, then 
you can factor n. One can easily be misled into thinking that in this way 
the primality tests can also be used for factorization. This is not the case. 
Given a large composite number n (e.g., a product of two randomly selected 
large primes), it is extremely unlikely that we would stumble upon a base 
b for which n is a pseudoprime (see Exercise 5(a) above to get an idea 
of the probability of stumbling upon such a b). Thus, the various refined 
pseudoprime tests are useful only in convincing ourselves of the primality 
of a number that really is prime; in practice, if we have a composite number 
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that we want to factor, it will fail every single primality test we apply to 
it, and the primality tests will not help us find a factor. 
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2 The rho method 


Suppose we know that a certain large odd integer n is composite; for ex- 
ample, we found that it fails one of the primality tests in §1. As mentioned 
before, this does not mean that we have any idea of what a factor of n 
might be. Of the methods we have encountered for testing primality, only 
the very slowest — trying to divide by the successive primes less than ./n 
— actually gives us a prime factor at the same time as it tells us that n 
is composite. All of the faster primality test algorithms are more indirect: 
they tell us that n must have proper factors, but not what they are. 

The method of trial division by primes < /n can take more than 
O(./n) bit operations. The simplest algorithm which is substantially faster 
than this is J. M. Pollard’s “rho method” (also called the “Monte Carlo” 
method) of factorization. 
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The first step in the rho method is to choose an easily evaluated map 
from Z/nZ to itself, namely, a fairly simple polynomial with integer coef- 
ficients, such as f(x) = 2? + 1. Next, one chooses some particular value 
x = Zo (perhaps zp = 1 or 2, or perhaps it is a randomly generated inte- 
ger) and computes the successive iterates of f: x; = f(zo), z2 = f(f(z0)), 
x3 = f(f(f(zo))), etc. That is, we define 


L541 = f(z;), j=0,1,2,.... 


Then we make comparisons between different 2;’s, hoping to find two which 
are in different residue classes modulo n but in the same residue class 
modulo some divisor of n. Once we find such x;, x, we have g.c.d.(x; — 
Xp, N) equal to a proper divisor of n, and we are done. 

Example 1. Let us factor 91 by choosing f(r) = x? + 1, x9 = 1. Then 
we have rz] = 2, r2 = 5, 3 = 26, etc. We find that g.c.d.(r3 — ro,n) = 
g.c.d.(21, 91) = 7, so 7 is a factor. Of course, this is a trivial example: we 
could have found the factor 7 faster by trial division. 

In the rho method it is important to choose a polynomial f(z) which 
maps Z/nZ to itself in a rather disjointed, “random” way. For example, 
we shall later see that f(x) must not be a linear polynomial, and in fact, 
should not give a 1-to-1 map. 

Let us suppose that f(x) is a “random” map from Z/nZ to itself, and 
compute how long we expect to have to wait before we have two iterations 
x; and zx, such that x; — z, has a nontrivial common factor with n. We 
do this by finding for a fixed divisor r of n (which, in practice, is not yet 
known to us) the average (taken over all maps from Z/nZ to itself and 
over all values zo) of the first index k such that there exists 7 < k with 
x; = zZ_ mod r. In other words, we regard f(x) as a map from Z/rZ to 
itself and ask how many iterations are required before we encounter the 
first repetition of values x, = x; in Z/rZ. 

Proposition V.2.1. Let S be a set of r elements. Given a map f from 
S to S and an element xp € S, let 2341 = f(z;) for j = 0,1,2,.... Let 
X be a positive real number, and let €=1+ [V2Ar ik Then the proportion 
of pairs (f, 20) for which zo, 21,...,2¢ are distinct, where f runs over all 
maps from S to S and xo runs over all elements of S, is less than e~>. 

Proof. The total number of pairs is r’+!, because there are r choices 
of xo, and for each of the r different x € S there are r choices of f(x). How 
many pairs (f, xo) are there for which zo, 21,...,Z¢ are distinct? There are 
r choices for zo, there are r — 1 choices for f(%9) = 21 (since this cannot 
equal x), there are r — 2 choices for f(x1) = 22, and so on, until f(x) 
has been defined for = zo, 21,...,2¢-1. Then the value of f(x) for each 
of the r — £ remaining z is arbitrary, i.e., there are r’~* possibilities for 
those values. Hence, the total number of possible ways of choosing x9 and 
assigning the values f(z) so that ro,...,2¢ are distinct is: 


140 V. Primality and Factoring 


e 


ci I[c 9); 


j=0 


and the proportion of pairs having the stated property (i-e., the above 
number divided by r7*?) is 


poe ‘Ir-9=10-2) 


The proposition states that the log of this is less than —\ (where = 1+ 
[V2Ar | ). To prove the proposition, then, we take the log of the product on 
the right, and use the fact that log(1—x) < —z for 0 < x < 1 (geometrically, 
this is simply the fact that the logarithm curve remains under the line which 
is tangent to it at the point (1,0)). Using the formula for the sum of the 
first 2 integers, we have: 


e F Qe, 
j j ae + A) -@  —(V2Ar)? 
tog( TT 7 *) - ee r “Or . 2r ie 
j=1 j=l 
as required. This completes the proof of the proposition. 

The significance of Proposition V.2.1 is that it gives an estimate for the 
probable length of time of the rho method, provided that we assume that 
our polynomial behaves like an average map from Z/rZ to itself. Before 
explaining this estimate, we make a slight refinement of the rho method in 
the interest of efficiency. 

Recall that the rho method works by successively computing 2, = 
f(zx-1) and comparing z;, with the earlier z; until we find a pair satisfying 
g.c.d.(x, — £3,n) =r > 1. But as k becomes large, it becomes very time- 
consuming to have to compute g.c.d.(z, — 2;,n) for each j < k. We now 
describe a way to carry out the algorithm so as to make only one g.c.d. 
computation for each k. First, observe that, once there is a kg and jg such 
that 2%. = 2j, mod r for some divisor r|n, we then have the same relation 
Zp = Z; mod r for any pair of indices j, k having the same difference 
k — j = ko — jo. To see this, simply set k = ko +m, j = jo +m, and 
apply the polynomial f to both sides of the congruence z,, = 2j;, mod r 
repeatedly, i.e., m times. 

We now describe how the rho algorithm works. We successively com- 
pute the z,, and for each k we proceed as follows. Suppose k is an (h+1)-bit 
integer, i.e., 2" < k < 2'+1 Let 7 be the largest h-bit integer: 7 = 2° — 1. 
We compare x; with this particular 2;, i.e, we compute g.c.d.(x,_ — 2;,n). 
If this g.c.d. gives a nontrivial factor of n, we stop; otherwise we move on 
tok+1. 

This modified approach has the advantage that we compute only one 
g.c.d. for each k. It has the disadvantage that we probably will not detect the 
first time there is a ko such that g.c.d.(x,,—2j,,m) = 7 > 1 for some jo < ko. 
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However, before long we will detect such a pair z;, 2; whose difference has 
a common factor with n. Namely, suppose that kg has h + 1 bits. Set 
j = 2'*1_1 and k = j + (ko — jo), in which case j is the largest (h+1)-bit 
integer and k is an (h+2)-bit integer such that g.c.d.(z,—2;,n) > 1. Notice 
that we have k < 2h+2 = 4.2) < Ako. 

Example 2. Let us return to Example 1 but compare each 2; only 
with the particular x; for which j is the largest integer < k of the form 
2h 1. For n = 91, f(z) = 27 +1, 2 = 1 we have 2] = 2, a2 = 5, 
x3 = 26 as before, and x4 = 40 (since 26? + 1 = 40 mod 91). Following 
the algorithm described above, we first find a factor of n when we compute 
g.c.d.(x4 — 43, n) = g.c.d.(14, 91) = 7. 

Example 3. Factor 4087 using f(x) =z? +2+1 and 2p = 2. 

Solution. Our computations proceed in the following order: 


£1 = f(2) =7; g.c.d.(z1 — 29, n) = g.c.d.(7 — 2, 4087) = 1; 
Lq = f(7) = 57; g.c.d.(x_q — 21,n) = g.c.d.(57 — 7, 4087) = 1; 
£3 = f(57) = 3307; g.c.d.(r3 — 1,n) = g.c.d.(3307 — 7, 4087) = 1; 
£4 = f (3307) = 2745 mod 4087; g.c.d.(z4 — 23, n) 

= g.c.d.(2745 — 3307, 4087) = 1; 
Zs = f (2745) = 1343 mod 4087; g.c.d.(r5 — x3, 7) 

= g.c.d.(1343 — 3307, 4087) = 1; 
rg = f (1343) = 2626 mod 4087; g.c.d.(xg — 23,7) 

= g.c.d.(2626 — 3307, 4087) = 1: 
£7 = f (2626) = 3734 mod 4087; g.c.d.(x7 — 23,n) 

= g.c.d.(3734 — 3307, 4087) = 61. 


Thus, we obtain 4087 = 61 - 67, and we are done. 

Proposition V.2.2. Let n be an odd composite integer, and let r be 
a nontrivial divisor of n which is less than /n (i.e., rln, 1 <r < Jn; 
we suppose that we are trying to determine what r is). If a pair (f, zo) 
consisting of a polynomial f with integer coefficients and an initial value 
Zo is chosen which behaves like an average pair (f, 29) in the sense of 
Proposition V.2.1 (with f a map from Z/rZ to itself and xo an integer), 
then the rho method will reveal the factor r in O(¥/nlog*n) bit operations 
with a high probability. More precisely, there exists a constant C such that 
for any positive real number X the probability that the rho method fails to 
ie a nontrivial factor of n in CVX 4/nlog?n bit operations is less than 


Proof. Let C; be a constant such that g.c.d.(y—2z,n) can be computed 
in C,log*n bit operations whenever y, z < n (see §1.3). Let C2 be a constant 
such that the least nonnegative residue of f(x) modulo n can be computed 
in C2log?n bit operations whenever z < n (see §1.1). If ko is the first 
index for which there exists jp < ko with 1%, = x;, mod r, then the rho 
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algorithm as described above finds r in the k-th step, where k < 4kpo. 
(Strictly speaking, it could happen that x, — 2; has a larger g.c.d. with 
n, ie., g.c.d.((x_ — 23)/r, n/r) > 1; but the chance of a random integer 
having nontrivial g.c.d. with n/r is small, especially if n is a product of a 
small number of large primes. So we shall neglect this possibility, which at 
worse would have the effect of requiring a slightly larger constant C in the 
proposition.) 

Thus, the number of bit operations needed to find r is bounded by 
4ko(C,log*n +Czlog*n). According to Proposition V.2.1, the probability 
that ko is greater than 1 + /2)r is less than e~ If ko is not greater than 
1+ 2dr, then the number of bit operations needed to find r is bounded 
by (here we use the fact that r < ,/n): 


4(1+ V2dr )(Cylog?n + Calog?n) < 4(14+ V2 VX Y/n)(Cilog?n + Czlog?n). 


If we choose C slightly greater than 4\/2(C, + C2) (so as to take care of 
the added 1), we conclude, as claimed, that the factor r will be found in 
CV  “/nlog*n bit operations, unless we made an unfortunate choice of 
(f, 29), of which the likelihood is less than e~*. 


Remarks. 1. The basic assumption underlying the rho method is that 
polynomials can be found which behave like random maps in the sense of 
Proposition V.2.1. This has not been proved. However, practical experience 
factoring numbers by the rho method suggests that the “average” poly- 
nomial behaves like the “average” map, and that some very simple poly- 
nomials (the most popular one being f(x) = 2? + 1) have this “average” 
property. 

2. According to Proposition V.2.2, if we choose \ large enough to have 
confidence in success — for example, e~* is only about 0.0001 for \ = 9 
— then we know that for an average pair (f, zo) we are almost certain to 
factor n in 3C ¢/nlog?n bit operations. 


Exercises 


In Exercises 1-4, use the rho method with the indicated f(x) and zo to 
factor the given n. In each case compare x, only with the 2; for which 
j = 2" —1 (where k is an (h + 1)-bit integer). 

z*—1,% =2,n=91. 

z? +1, to =1,n = 8051. 

x? —1, 29 = 5, n= 7031. 

z+2+1, 29 =1,n= 2701. 

Let S be a set containing r elements, and let the maps f in the pairs 
(f, Zo) range over all bijections of the set S to itself (i.e., f is a 1-to- 
1 correspondence between S and itself — no two z’s have the same 
f(x)). As before, let 2341 = f(z;) for 7 = 0,1,2,.... For each pair 


SOP NP 


(a) 
(b) 


(c) 
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(f, Zo), let & denote the first index such that there exists j < k for 
which f(z,) = f(x;). Prove that 

(a) k is at most r, and for each value from 1 to r there is a 1/r 
probability that k is that value; 

(b) the average value of k is (r+ 1)/2 (where the average is taken over 
all pairs (f, xo) with f a bijection). 

Using Exercise 5, explain why a linear polynomial az + b should never 
be chosen for f(z) in the rho method. 

Suppose that you are using the rho method to factor a number which 
has a prime divisor r. You decide to choose f(x) = x? as your function 
to be iterated. (This is a bad choice of f(x), as will become clear 
below.) We are interested in determining the first value of k such that 
Zp = re mod r for some £ < k, i.e., the first value of k such that 
Xo, 21,---,2, are not all distinct modulo r. Suppose that you happen 
to choose 29 which is a generator of (Z/rZ)*. Set r — 1 = 2°t, where t 
is odd. 

Write a congruence modulo r—1 which is equivalent to x, = xe (equal- 
ity means congruence modulo r). 

Find the first values of k and @ for which the condition in (a) holds, 
expressing them in terms of s and the binary expansion of the fraction 
1/t. 

Roughly how large is k compared to r? Why is f(z) a bad choice of 
function for the rho method? 
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3 Fermat factorization and factor bases 


Fermat factorization. As we saw earlier (see Exercise 3 of §1.2 and Exercise 
4 of §IV.2), there’s a way to factor a composite number n that is efficient if 
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n is a product of two integers which are close to one another. This method, 
called “Fermat factorization,” is based on the fact that n is then equal to 
a difference of two squares, one of which is very small. 

Proposition V.3.1. Let n be a positive odd integer. There is a 1-to- 
1 correspondence between factorizations of n in the form n = ab, where 
a>b>0, and representations of n in the form t? — s?, where s and t are 
nonnegative integers. The correspondence is given by the equations 
1-2 +b _a-b 

GET Nn aoe! 

Proof. Given such a factorization, we can write n = ab = ((a+b)/2)?— 
((a — b)/2)?, so we obtain the representation as a difference of two squares. 
Conversely, given n = t? — s* we can factor the right side as (t + s)(t — s). 
The equations in the proposition explicitly give the 1-to-1 correspondence 
between the two ways of writing n. 


a=t+s, b=t-s. 


If n = ab with a and 6 close together, then s = (a — b)/2 is small, and 
so t is only slightly larger than ,/n. In that case, we can find a and b by 
trying all values for ¢ starting with [,/n] + 1, until we find one for which 
t? —n = s? is a perfect square. 

In what follows, we shall assume that n is never a perfect square, so 
as not to have to worry about trivial exceptions to the procedures and 
assertions. 

Example 1. Factor 200819. 

Solution. We have [Vv 200819 | +1 = 449. Now 449? — 200819 = 782, 
which is not a perfect square. Next, we try t = 450: 450? — 200819 = 1681 = 
412 Thus, 200819 = 450? — 41? = (450 + 41)(450 — 41) = 491 - 409. 

Notice that if the a and b are not close together for any factorization 
n = ab, then the Fermat factorization method will eventually find a and b, 
but only after trying a large number of t = [Vr] +1, [Vr] +2,.... There 
is a generalization of Fermat factorization that often works better in such a 
situation. We choose a small k, successively set t = [Vkn | +1, [Vkn | +2, 
etc., until we obtain a t for which t? — kn = s? is a perfect square. Then 
(t + s)(t — s) = kn, and so t + s has a nontrivial common factor with n 
which can be found by computing g.c.d.(t + s,n). 

Example 2. Factor 141467. 

Solution. If we try to use Fermat factorization, setting t = 377, 378,..., 
after a while we tire of trying different t’s. However, if we try t = [V3n ] 
+1 = 652,... we soon find that 655? — 3 - 141467 = 687, at which point 
we compute g.c.d.(655 + 68, 141467) = 241. We conclude that 141467 = 
241 - 587. The reason why generalized Fermat factorization worked with 
k = 3 is that there is a factorization n = ab with b close to 3a. With k = 3 
we need to try only four t’s, whereas with simple Fermat factorization (i.e., 
k = 1) it would have taken thirty-eight t’s. 

Factor bases. There is a generalization of the idea behind Fermat fac- 
torization which leads to a much more efficient factoring method. Namely, 
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we use the fact that any time we are able to obtain a congruence of the 
form t? = s* mod n with t # +s mod n, we immediately find a factor 
of n by computing g.c.d.(t + s,n) (or g.c.d.(t — s,n)). This is because we 
have n|t? — s? = (t + s)(t — s), while n does not divide t + s or t — s; thus 
g.c.d.(t + s,n) must be a proper factor a of n, and then b = n/a divides 
g.c.d.(t — s,n). 

Example 4. Suppose we want to factor 4633, and happen to notice 
that 118? leaves a remainder of 25 = 5* modulo 4633. Then we find that 
g.c.d.(118 + 5, 4633) = 41, g.c.d.(118 — 5, 4633) = 113, and 4633 = 41 - 113. 
A skeptic might wonder how in Example 4 we ever came upon a number 
such as 118 whose square has least positive residue also a perfect square. 
Would a random selection of various b soon yield one for which the least 
positive residue of b? mod n is a perfect square? That is very unlikely if n 
is large, so it is necessary to generalize this method in a way that allows 
much greater flexibility in choosing the b’s for which we consider b* mod n. 
The idea is to choose several b;’s which have the property that b? mod n is 
a product of small prime powers, and such that some subset of them, when 
multiplied together, give a b whose square is congruent to a perfect square 
modulo n. We now give the details. 

By the “least absolute residue” of a number a modulo n we mean the 
integer in the interval from —n/2 to n/2 to which a is congruent. We shall 
denote this a mod n. 

Definition. A factor base is a set B = {p1, p2,..., pn} of distinct primes, 
except that p; may be the integer —1. We say that the square of an integer 
b is a B-number (for a given n) if the least absolute residue b? mod n can 
be written as a product of numbers from B. 

Example 5. For n = 4633 and B = {—1,2,3}, the squares of the three 
integers 67, 68 and 69 are B-numbers, because 672 = —144 mod 4633, 
68? = —9 mod 4633, and 69? = 128 mod 4633. 

Let Fi denote the vector space over the field of two elements which 
consists of h-tuples of zeros and ones. Given n and a factor base B con- 
taining h numbers, we show how to correspond a vector € € F# to every 
B-number. Namely, we write b? mod n in the form Tj p;? and set the 
j-th component €; equal to a; mod 2, i.e., €; = 0 if a; is even, and €; = 1 
if a; is odd. 

Example 6. In the situation of Example 5, the vector corresponding 
to 67 is {1,0,0}, the vector corresponding to 68 is {1,0,0}, and the vector 
corresponding to 69 is {0, 1, 0}. 

Suppose that we have some set of B-numbers b? mod n such that the 
corresponding vectors €’; = {€i1,..., €in} add up to the zero vector in Fh. 
Then the product of the least absolute residues of b? is equal to a product 
of even powers of all of the p; in B. That is, if for each 7 we let a; denote 
the least absolute residue of b? mod n and we write a; = Th p; 7, we 
obtain 
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II ae II Pj , 
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with the exponent of each p; an even number on the right. Then the right 
hand side is the square of [],p;’ with 7; = 3 )0;ai;. Thus, if we set 
b = [J], 5; mod n (least positive residue) and c = |], pj? mod n (least 
positive residue), we obtain two numbers 6 and c, constructed in quite 
different ways (one as a product of b;’s and the other as a product of p;’s) 
whose squares are congruent modulo n. 

It may happen that b = +c mod n, in which case we are out of luck, 
and we must start again with another collection of B-numbers whose corre- 
sponding vectors sum to zero. This will happen, for example, if we foolishly 
choose 6; less than ,/n/2, in which case all of the vectors are zero-vectors, 
and we end up with a trivial congruence. 

But for more randomly chosen b;, because n is composite we would 
expect that b and c would happen to be congruent (up to +1) modulo n 
at most 50% of the time. This is because any square modulo n has 2” > 4 
square roots if n has r different prime factors (see Exercise 7 of § 1.3); thus 
a random square root of b? has only a 2/2” < 5 chance of being either b or 
—b. And as soon as we have b and c with b? = c? mod n but b # tc mod n 
we can immediately find a nontrivial factor g.c.d.(b+c, n), as we saw before. 
Thus, if we go through the above procedure for finding b and c until we find 
a pair that gives us a nontrivial factor of n, we see that there is at most a 
2-* probability that this will take more than k tries. 

In practice, how do we choose our factor base B and our b;? One 
method is to start with B consisting of the first h primes (or the first h — 1 
primes together with p, = —1) and choose random },’s until we find several 
whose squares are B-numbers. Another method is to start by choosing some 
b,’s for which b? mod n (least absolute residue) is small in absolute value 
(for example, take b; close to Vkn for small multiples kn; another way will 
be explained in §4). Then choose B to consist of a small set of small primes 
(and usually p, = —1) so that several of the b? mod n can be expressed in 
terms of the numbers in B. 

Example 7. In the situation of Examples 5-6, we actually chose 67 and 
68 because they are close to 4633. After finding that 677 = —144 mod 4633 
and 68? = —9 mod 4633, we saw that we can choose B = {-1,2,3}. As 
we saw before, the vectors corresponding to 6; = 67 and be = 68 are 
{1,0,0} and {1,0,0}, which add up to the zero vector. We compute b = 
67 -68 mod 4633 = —77 and c = 272 - 378 (we can ignore the power of —1 in 
c), ie., c = 36. Fortunately, —-77 # +36 mod 4633, and so we find a factor 
by computing g.c.d.(—77 + 36, 4633) = 41. 

When can we be sure that we have enough 5}; to find a sum of ©; 
which is the zero vector? In other words, given a collection of vectors in 
Fi, when can we be sure of being able to find a subset of them which sums 
to zero? To ask for this is to ask for the collection of vectors to be linearly 
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dependent over the field F2. According to basic linear algebra (which applies 
just as well over the field F2 as over the real numbers), this is guaranteed 
to occur as soon as we have h + 1 vectors. Thus, at worst we’ll have to 
generate h + 1 different B-numbers in order to find our first example of 
([],; bi)? = (II; p;’ )? mod n. (Example 7 shows that we may very well 
obtain linearly dependent vectors sooner; in that case h = 3, and we were 
able to stop after finding two B-numbers.) If h is large, we might not be able 
to notice by inspection a subset of vectors which sums to zero; in that case, 
we must write the vectors as rows in a matrix and use the row-reduction 
technique of linear algebra to find a linearly dependent set of rows. 

Example 8. Let n = 4633. Find the smallest factor-base B such that 
the squares of 68, 69 and 96 are B-numbers, and then factor 4633. 

Solution. As we saw before, 68? mod n and 69? mod n are products 
of —1, 2, and 3; since 96? mod n = —50, the least absolute residues of all 
three squares can be written in terms of the factor-base B = {—1, 2,3, 5}. 
We already computed the vectors €; = {1,0,0,0} and eg = {0,1,0,0} 
corresponding to 68 and 69, respectively. Since 96? = —50 mod 4633, we 
have es = {1,1,0,0}. Since the sum of these vectors is zero, we can take 
b = 68 - 69 - 96 = 1031 mod 4633 and c = 24-3-5 = 240. Then we obtain 
g.c.d.(240 + 1031, 4633) = 41. 


Examples 7 and 8 indicate how one might proceed systematically to 
find several b; such that the least absolute residue b? mod n is a product of 
small primes. The likelihood that b? mod n is a product of small primes is 
greater if this residue is small in absolute value. Thus, we might successively 
try integers b; close to Vkn for small integers k. For example, we might 
choose [Vkn] and [Vkn] +1 for k = 1,2,.... 

Example 9. Let us factor n = 1829 by taking for 6, all integers of the 
form [V1829k] and [V1829k] +1, k =1,2,..., such that b? mod n is a 
product of primes less than 20. For such b; we write b? mod n = J], p;* 
and tabulate the a,;. After taking k = 1, 2,3,4, we have the following table, 
in which the number at the top of the j-th column is p; and the entry in 
the i-th row beneath p; is the power of p; which occurs in b? mod n: 


b; 242 Oe ee i a8 
42 ‘ae ey Ge ee 
43 a ees Oe ee 
61 ae ee 
74 i et Se Sree TES 
85 Pe. Hee Fee 
86 a ee a 


We now look for a subset of rows whose entries sum to an even number 
in each column. We see at a glance that the 2nd and 6th rows sum to 
the even row -—- 6 — 2 — — — . This leads to the congruence 
(be - bg)? = (29/2 - 52/2)? mod n, i.e., (43 - 86)? = 40? mod 1829. But since 
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43 - 86 = 40 mod 1829, we have found only a trivial relationship. Thus, 
we have to look for another subset of rows which sum to a row of even 
numbers. We notice that the sum of the first three rows and the fifth row 
is 22222 — 2 , and this gives the congruence (42 - 43-61-85)? = 
(2-3-5-7-13)? mod n, i.e., 1459? = 901? mod 1829. We conclude that a 
factor of 1829 is g.c.d.(1459 + 901, 1829) = 59. 


Factor base algorithm. We now summarize a systematic method to 
factor a very large n using a random choice of the b;. Choose an integer y of 
intermediate size, for example, if n is a 50-decimal-digit integer, we might 
choose y to be a number with 5 or 6 decimal digits. Let B consist of —1 
and all primes < y. Choose a large number of random b;, and try to express 
b? mod n (least absolute residue) as a product of the primes in B. Once you 
obtain a large quantity of B-numbers b? mod n (m(y) + 2 is enough, where 
m(y) denotes the number of primes < y), take the corresponding vectors in 
F4 (where h = 1(y) +1) and by row-reduction determine a subset of the 
b; whose corresponding €’; sum to zero. Then form b = []}:; mod n and 
c=] p;? mod n, as described above. Then b? = c? mod n. If b = +c mod n, 
start again with a new random collection of B-numbers (or, to be more 
efficient, choose a different subset of rows in the matrix of €’’s which sum 
to zero, if necessary finding a few more B-numbers and their corresponding 
rows). When you finally obtain b? = c? mod n and b # +c mod n, compute 
g.c.d.(b+.c,n), which will be a nontrivial factor of n. 

Heuristic time estimate. We now give a very rough derivation of an 
estimate for the number of bit operations it takes to find a factor of a very 
large n using the algorithm described above. We shall use several simplifying 
assumptions and approximations, and in any case the result will only be a 
probabilistic estimate. If we are very unlucky in our random choice of ),, 
then the algorithm will take longer. 

We shall need the following preliminary facts: 

Fact 1 (Stirling’s formula). log(n!) is approximately nlogn — n. 

By “approximately,” we mean that the difference grows much more 
slowly than n as n —> oo. This can be proved by observing that log(n!) 
is the right-endpoint Riemann sum (with endpoints at 1,2,3,...) for the 
definite integral fT logxdx =nlogn —n+1. 

Fact 2. Given a positive integer N and a positive number u, the total 
number of nonnegative integer N-tuples a; such that ae a; <uis the 
binomial coefficient (lt N ). 

Here [ ] denotes the greatest integer function. Fact 2 can be proved by 
letting each N-tuple solution a; correspond to the following choice of N 
integers 3; from among 1,2,...,[u] + N. Let 6, = a; +1, and for j > 1 
let Bj41 = 8; + aj;41 +1, ie., we choose the (;’s so that there are a; 
numbers between 3;_1 and (@;. This gives a 1-to-1 correspondence between 
the number of solutions and the number of ways of choosing N numbers 
from a set of [u] + N numbers. 
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Now, in order to estimate the time our algorithm takes, a crucial step 
is to estimate the probability that a random number less than z will be a 
product of primes less than y (where y is 8 number much less than x). To 
do this, we first let u denote the ratio 724 jog =. That is, if 2 is an r-bit integer 
and y is an s-bit integer, then wu is desi caniabely the ratio of digits r/s. 

In the course of the computations, we shall want to make some simpli- 
fications by ignoring smaller terms. We shall do this under the assumption 
that u is much smaller than y. We let 7(y), as usual, denote the number of 
prime numbers which are < y. Since 7(y) is approximately equal to y/log y, 
by the Prime Number Theorem, we are also assuming that we are working 
with values of u which are much smaller than 7(y). In a typical practical 
application of the algorithm, we might take y, u, x of approximately the 
following sizes: 


y = 10° (so that m(y) ¥ 7-104 and logy = 14); 
u = 8; 


xz = 1048 


It is customary to let Y(z, y) denote the number of integers < x which 
are not divisible by any prime greater than y, i.e., the number of integers 
which can be written as a product I1p; i <a, wher the product is over 
all primes < y and the a; are nonnegative integers. There is obviously a 
1-to-1 correspondence between 7(y)-tuples of nonnegative integers a; for 
which |], D;’ < xz and integers < x which are not divisible by any prime 
greater than y. Thus, Y(z, y) is equal to the number of integer solutions a; 
to the inequality yy a; logp; < loga, as we see by taking logarithms. 
We now observe that most of the p;’s have logarithms not too much less 
than logy. This is because most of the primes less than y have almost 
the same number of digits as y; only relatively few have many fewer digits 
and hence a much smaller logarithm. Thus, we shall allow ourselves to 
replace log p; by log y in the previous inequality. Dividing both sides of the 
resulting inequality by log y and replacing log x/log y by u, we can say that 
W(x, y) is approximately equal to the number of solutions of the inequality 
5 m(y) a; <u. 

We now make another important simplification, replacing the number 
of variables 7(y) by y. This might appear at first to be a rather reckless 
modification of our problem. And in fact, replacing 7(y) by y does introduce 
nontrivial terms; however, it turns out that those terms cancel, and the net 
result is the same as one would get by a much more careful approximation of 
W(x, y). Thus, we shall suppose that W(z, y) is roughly equal to the number 
of y-tuple nonnegative integer solutions to the inequality pie aj <u. 

But, by Fact 2 (with N = y), this means that W(z, y) is approximately 
(es), We now estimate log (222) , which is the logarithm of the proba- 
bility that a random integer between 1 and z is a product of primes < y. 
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Notice that log x = ulog y, by the definition of u. We use the approximation 
for Y(x,y) and Fact 1: 


log(“2¥)) x tog( EH) —ulogy 


& ([u] + y)log({u] + y) — ([u] + y)— 
— ([u] log fu} — [u]) — (y logy — y) — wlogy. 


We now make some further approximations. First, we replace [u] by uw. 
Next, we note that, because u is assumed to be much smaller than y, we 
can replace log(u + y) by logy. After cancellation we obtain 


log(“2¥)) = —ulogu, 


ie., 
P(2,Y) ye. 
x 
For example, this says that if z ~ 10*8 and y = 10° as above, then the 
probability that a random number between 1 and z is a product of primes 
< y is about 1 out of 8% 

We are now ready to estimate the number of bit operations required to 
carry out the factor base algorithm described above, where for simplicity we 
shall suppose that our factor base B consists of the first h = (y) primes, 
ie., all primes < y. To make our analysis easier, we shall suppose that B 
does not include —1, and that we consider the least positive residue (rather 
than the least absolute residue) of b? mod n. 

Thus, we estimate the number of bit operations required to carry out 
the following steps: (1) choose random numbers b; between 1 and n and 
express the least positive residue of b? modulo n as a product of primes 
< y if it can be so expressed, continuing until you have z(y) + 1 different 
b;’s for which b? mod n is written as such a product; (2) find a set of 
linearly dependent rows in the corresponding (((y) + 1) x m(y))-matrix 
of zeros and ones to obtain a congruence of the form b? = c* mod n; 
(3) if b = +c mod n, repeat (1) and (2) with new 6; until you obtain 
b? = c* mod n with b # +c mod n, at which point find a nontrivial factor 
of n by computing g.c.d.(b+ ¢,n). 

Assuming that the b? mod n (meaning least positive residue of b? 
modulo n) are randomly distributed between 1 and n, by the argument 
above we expect that it will take approximately u™ tries before we find a 
b; such that b? mod n is a product of primes < y, where u = logn/log y. 
We will later decide how to choose y so as to minimize the length of time. 
The point is that choosing y large would make u“ small, and so we would 
frequently encounter b; such that b? mod n is a product of primes < y. 
However, in that case the factorization of b? mod n into a product involving 
all of those primes — which we would have to do m(y) + 1 times — and 
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then the row reduction of the matrix would all be very time consuming. 
Conversely, if we choose y fairly small, then the latter tasks would be easy, 
but it would take us a very long time to find any 6;’s for which b? mod n 
is divisible only by primes < y, because in that case u“ would be very 
large. So y should be chosen in some intermediate range, as a compromise 
between these two extremes. 

In order to decide how y should be chosen, we first make a very rough 
estimate in terms of y (and n, of course) of the number of bit operations. 
We then minimize this with respect to y (using first year calculus and some 
simplifying approximations), and find our time estimate with y chosen so 
that the time is minimized. 

Suppose that n is an r-bit integer and y is an s-bit integer; then wu is 
very close to r/s. First of all, how many bit operations are needed for each 
test of a randomly chosen 6;? We claim that the number of operations is 
polynomial in r and y, i.e., it is O(r'e**) for some (fairly small) integers 
k and l. It takes a fixed amount of time to generate a random bit, and 
so O(r) bit operations to generate a random integer b; between 1 and n. 
Next, computing b? mod n takes O(r*) bit operations. We must then divide 
b? mod n successively by all primes < y which divide it evenly (and by any 
power of the prime that divides it evenly), hoping that when we’re done 
we'll be left with 1. A simple way to do this (though not the most efficient) 
would be to divide successively by 2 and by all odd integers p from 3 to y, 
recording as we go along what power of p divides b? mod n evenly. Notice 
that if p is not prime, then it will not divide evenly, since we will have 
already removed from b? mod n all of the factors of p. Since a division of 
an integer of < r bits by an integer of < s bits takes time O(rs), we see 
that each test of a randomly chosen 6; takes O(rsy) bit operations. 

To complete step (1) requires testing approximately u“(a(y)+1) values 
of b;, in order to find m(y) + 1 values for which b? mod n is a product of 
primes < y. Since m(y) © Tay = O(y/s), this means that step (1) takes 
O(u"ry”) bit operations. 

Step (2) then involves operations which are polynomial in y and r (such 
as matrix reduction and finding b and c modulo n). Thus, step (2) takes 
O(y/r") bit operations for some integers j and h. Each time we perform 
steps (1)-(2) there is at least a 50% chance of success, i.e., of finding that 
b # +c mod n. More precisely, the chance of success is 50% if n is divisible 
by only two distinct primes, and is greater if n is divisible by more primes. 
Thus, if we are satisfied with, say, a 1 — 2~°° probability of finding a non- 
trivial factor of n, it suffices to go through the steps 50 times. Taking this 
as good enough for all practical purposes, we end up with the estimate 


O(50(u"r2y? + yr")) = O(r?uty?) = O(r*ute**) = O(r*(r/s)"/*e**), 
for suitable integers h and k. 


We now find y — equivalently, s — for which this time estimate is 
minimal. Since r, the number of bits in n, is fixed, this means minimizing 
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(r/s)"/*e** with respect to s, or equivalently, minimizing its log, which is 
‘log= + ks. Thus, we set 


0= <(. log ~ + ks) = -5 (log + 1) +k =~ log + k, 
ie., we choose s in such a way that ks is approximately equal to 5 log“, 
in other words, in such a way that the two factors in (r/s)"/*e** are ap- 
proximately equal. Because k is a constant, it follows from the above ap- 
proximate equality that s? has the same order of magnitude as r log(r/s) = 
r(log r —log s), which means that s has order of magnitude between ,/r and 
Vr logr. But this means that log s is approximately slogr, and so, making 
the substitution log s ~ glogr, we transform the above relation to: 


r : 
Oe eat + k, ie., ce~] va logr. 


With this value of s, we now estimate the time. Since the two factors 
(r/s)"/* and e** are approximately equal for our optimally chosen s, the 


V2k rl 
time estimate simplifies to O(e?**) = O(e °9”). Replacing the con- 
stant V2k by C, we finally obtain the following estimate for the number of 
bit. operations required to factor an r-bit integer n: 


o(e" ios 


The above argument was very rough. We made no attempt to jus- 
tify our simplifications or bound the error in our approximate equalities. 
In addition, both our algorithm and our estimate of its running time are 
probabilistic. 

Until the advent of the number field sieve very recently (see the remark 
at the end of §5), all analyses of the running time of the best general-purpose 


factoring algorithms known led to estimates of the form O ec rlogr) 


In some cases, the estimates were proved rigorously, and in other cases 
they relied upon plausible but unproved conjectures. The main difference 
between the time estimates for the various competing algorithms was the 
constant C in the exponent. In this respect the factoring problem has had 
a history quite different from the primality problem considered in §1, where 
improvements in running time (especially of deterministic primality tests) 
have been dramatic. For a detailed survey and comparison of the factoring 
algorithms that were known in the early 1980’s, see Pomerance’s 1982 article 
cited in the references below. 

Remark. Since r = O(logn), the above time estimate can also be 
expressed in the form 


C vlognlogt 
Time(Factor n) = o(e me aa): 
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Except for the number field sieve, all of the asymptotically fast general 
factoring algorithms have conjectured running times of the above form with 
C =1+ € for € arbitrarily small. 

Implications for RSA. Recall that the security of the RSA public key 
cryptosystem (see §IV.2) depends upon the circumstance that factoring a 
very large integer of the form n = pg is much more time consuming than 
the various tasks which legitimate users of the system must perform, tasks 
which are polynomial time or near-polynomial time (primality testing) as 
functions of the number r of bits in n. We have just seen why time estimates 


of the form O(e° yee ") tend to arise when analyzing factoring algorithms. 
Since a polynomial function of r can be written in the form O(e° '°9"), we 
see that for large r the time required for factorization is indeed much larger 
than for polynomial time or near-polynomial time algorithms. (However, the 


factoring algorithms with time estimate of the form O(e° we sy are better 
for large r than the rho method, which has time estimate approximately 
O( Yn) = O(e@), where C = } log 2.) 

Finally, we note that the question of replacing \/r log r in the exponent 
by a smaller function of r is not the only matter of practical importance in 
evaluating the security of the RSA system. After all, a polynomial function 


of the number of bits r becomes much smaller than C; a nea only when 
r is large, and how large r must be taken depends strongly on the values of 
the constants C and C2. So even the discovery of a factoring algorithm with 
the same time estimate except with smaller constants would have practical 
implications for the usability of the RSA public key cryptosystem. 


Exercises 


1. Use Fermat factorization to factor: (a) 8633, (b) 809009, (c) 92296873, 
(d) 88169891, (e) 4601. 

2. Prove that, if n has a factor that is within “/n of ./n, then Fermat 
factorization works on the first try (i.e., for t = [Vn] +1). 

3. (a) Prove that if k = 2, or if k is any integer divisible by 2 but not by 4, 
then we cannot factor a large odd integer n using generalized Fermat 
factorization with this choice of k. 

(b) Prove that if k = 4, and if generalized Fermat factorization works 
for a certain t, then simple Fermat factorization (with k = 1) would 
have worked equally well. 

4. Use generalized Fermat factorization to factor: (a) 68987, (b) 29895581, 
(c) 19578079, (d) 17018759. 

5. Let n = 2701. Use the B-numbers 52?, 53? mod n for a suitable factor- 
base B to factor 2701. What are the ~€’’s corresponding to 52 and 
53? 

6. Let n = 4633. Use 68, 152 and 153 with a suitable factor-base B to 
factor 4633. What are the corresponding vectors? 
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7. 


10. 


(a) Prove that: logn! — (nlogn —n) = O(logn). 

(b) Derive the more precise estimate: log n!—((n+$)logn —n) = O(1). 

(c) What is the expected value of log j for a randomly chosen integer 

j between 1 and y? 

(a) What is the probability that a randomly chosen set of k vectors in 
3 is linearly independent (where k < n)? 

(b) What is the probability that 5 randomly chosen vectors in F3 are 

a basis? 

Let n be an r-bit integer. By what factor does each of the expressions 

a/rlogr 


</n (that appears in the time estimate for the rho method) and e 
(that appears in the estimate for the factor base method) increase if n 
increases from a 50-decimal-digit to a 100-decimal-digit integer? 

(a) Suppose that f(s) is a positive monotonically decreasing function 
and g(s) is a positive monotonically increasing function on an interval, 
and suppose that f(so) = g(so). Prove that the function h(s) = f(s)+ 
g(s) “essentially” reaches its minimum at so, in the sense that the 
minimum value of h(s) is between h(so) and $ h(so). 

(b) Suppose that f(s) > 1 is a monotonically decreasing function and 
g(s) > 1 is a monotonically increasing function on an interval, and 
suppose that f(s9) = g(so). Prove that the function h(s) = f(s)g(s) 
“essentially” reaches its minimum at so, in the sense that the minimum 
value of h(s) is between h(so) and \/h(s0). 

(c) Using part (b), show that the function h(s) = (r/s)"/* e** on the 
interval (0,r) (here k and r are positive constants) “essentially” reaches 
its minimum when (r/s)"/* = es. 
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4 The continued fraction method 


In the last section, we saw that the factor-base method of finding a non- 
trivial factor of a large composite integer n works best if one has a good 
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method of finding integers b between 1 and n such that the least abso- 
lute residue 6? mod n is a product of small primes. This is most likely to 
occur if the absolute value of b? mod n is small. In this section we de- 
scribe a method (originally due to Legendre) for finding many b such that 
|b? mod n| < 2,/n. This method uses “continued fractions,” so we shall 
start with a brief introduction to the continued fraction representation of 
a real number. Our account will describe only those features which will be 
needed here; the reader interested in a more thorough treatment of contin- 
ued fractions should consult, for example, Davenport’s classic and readable 
book (see the references at the end of the section). 

Continued fractions. Given a real number 2, we construct its continued 
fraction expansion as follows. Let ap = [2] be the greatest integer not greater 
than x, and set ro = x — ag; let a; = [1/zo], and set 21 = 1/z9 — a1; and 
for i > 1, let a; = [1/a2;_1], and set 2; = 1/x2;_1 — a;. If/when you find 
that 1/x;_1 is an integer, you have x; = 0, and the process stops. It is not 
hard to see that the process terminates if and only if x is rational (because 
in that case the x2; are rational numbers with decreasing denominators). 


Because of the construction of ag,a;,...,a;, for each 7 you can write 
1 
LAO eg me 
a, + 
n 1 
ag eee 
a, + 2; 


which is usually written in a more compact notation as follows: 


re ae ee 1 
oT Git agt agt ag tay 


Suppose that z is an irrational real number. If we carry out the above 
expansion to the i-th term and then delete z;, we obtain a rational number 
b/ci, called the i-th convergent of the continued fraction for z: 


b; 1 1 1 1 1 


—=+-a + —_— —_ ——_ + + - ———_ —. 
Ci : Qi;+ aot agt+ = aj-1+ aj 


oar iane V.4.1. In ihe above notation, one has: 


by _ aoaji+1. — aib;-1+bi_-2 . ; 
(a) 2 eu C1 a ’ a ~~ agey_-ite—2 fori > 2; 


(b) the fracion on the right in part (a) are in lowest terms, i.e., if bj = 

aibj_1 + bj-2 and c; = ajcx_1 + Ci-2, then g.c.d.(b;, ci) = 1; 

(c) bici-1 — bj-1¢e; = (-1)*"} fori > 1. 

Proof. We define the sequences {b;} and {c;} by the relations in (a), 
and prove by induction that then b;/c; is the i-th convergent. We will prove 
this without assuming that the a; are integers, i.e., we will prove that for 
any real numbers a; the. ratio bs i /c; with b; and c; defined by the formulas 
in (a) is equal to ap + = sy --» =. It is trivial to check the beginning of the 
induction (7 = 0,1, 2). We now ‘suppose that the claim is true through the 
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i-th convergent, and we prove the claim for the (i + 1)-th convergent. Note 
that we obtain the (i + 1)-th convergent by replacing a; by a; + 1/ai41 
in the formula that expresses the numerator and denominator of the i-th 
convergent in terms of the (i — 1)-th and (i — 2)-th. That is, the (i+ 1)-th 
convergent is 


1 
(a; + ai )bi-1 + dj-2 = Qi41 (a;bj-1 + bi-2) + bj-1 _ 04415; + bi_-1 
(a, +—-)g-1+c-2 igi (@ici-1t+cGi-2)+C-1 aigic; t+G—1’ 


Qi+1 


by the induction assumption. This completes the induction, and proves part 
(a). 

Part (c) is also easy to prove by induction. The induction step goes as 
follows: 


bigacs — biciga = (i410; + By-1)c; — Bi (Gig1e; + C1) = Bi-16; — bici_1 
= -(-1)*"? = (-1)4 


so part (c) for i implies part (c) for i+1. Finally, part (b) follows from part 
(c), because any common divisor of b; and c; must divide (—1)*~}, which is 
+1. This proves the proposition. 

If we divide the equation in Proposition V.4.1(c) by cjc;_1, we find 


that : 

bby (-1)*? 

ae on ae aa 
Since the c; clearly form a strictly increasing sequence of positive integers, 
this equality shows that the sequence of convergents behaves like an al- 
ternating series, i.e., it oscillates back and forth with shrinking amplitude; 
thus, the sequence of convergents converges to a limit. 

Finally, it is not hard to see that the limit of the convergents is the 
number x which was expanded in the first place. To see that, notice that 
x can be obtained by forming the (¢ + 1)-th convergent with a;;1 replaced 
by 1/x;. Thus, by Proposition V.4.1(a) (with 4 replaced by i +1 and a;4, 
replaced by 1/2;), we have 


_ bi /xj + by-1 m bj + 24b;-1 
G/tp+C-1 G+ 2iC;-1" 


and this is strictly between b;_,/cj;-1 and b;/c;. (To see this, consider the 
two vectors u = (b;,c;) and v = (b;_1,c;-1) in the plane, both in the same 
quadrant; note that the slope of the vector u+ 2;v is intermediate between 
the slopes of u and v.) Thus, the sequence b;/c; oscillates around x and 
converges to x. 

Continued fractions have many special properties that cause them to 
come up in several different branches of mathematics. For example, they 
provide a way of generating “best possible” rational approximations to real 
numbers (in the sense that any rational number that is closer to x than b;/c; 
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must have a denominator larger than c;). Another property is analogous 
to the fact that the decimal (or base-b) digits of a real number z repeat if 
and only if z is rational. In the continued fraction expansion of 7, we saw 
that the sequence of integers a; terminates if and only if z is rational. It 
can be shown that the a; become a repeating sequence if and only if z isa 
quadratic irrationality, i.e., of the form 21 + Z2./n with x and 22 rational 
and n not a perfect square. This is known as Lagrange’s theorem. 
Example 1. If we start expanding /3 as a continued fraction, we obtain 


1+ 24 14 24+ 14 2+ 


At this point we might conjecture that the a;’s alternate between 1 and 
2. To prove this, let x equal the infinite continued fraction on the right 
with alternating 1’s and 2’s. Then clearly g = 1+ maa) as we see by 
replacing x on the right by its definition as a continued fraction. Simplify- 
ing the rational expression on the right and multiplying both sides of the 
equation by 2+ 2 gives: 27 + x? = 3+ 2z, ie., = V3. 

Proposition V.4.2. Let > 1 be a real number whose continued fraction 
expansion has convergents b;/c;. Then for all i: |b? — x*c?| < 2z. 

Proof. Since z is between b;/c; and b;41/ci41, and since the absolute 
value of the difference between these successive convergents is 1/c;cj+1 (by 
Proposition V.4.1(c)), we have 


|b? —x |= Ale “e+ A] < d (x 
+1 


CCG 


Hence, 


[02 — 22e2| — 20 < 20(— 1+ 4 : ) <20(-1+ + 1) 
Qc}, Cit. Ci41 


< 2x(- 1+ Sat) 0. 


This proves the proposition. 

Proposition V.4.3. Let n be a positive integer which is not a perfect 
square. Let b;/c; be the convergents in the continued fraction expansion of 
Vn. Then the residue of b? modulo n which is smallest in absolute value 
(i.e., between —n/2 and n/2) is less than 2,/n. 

Proof. Apply Proposition V.4.2 with z = /n. Then b? = b? — 
nc? mod n, and the latter integer is less than 2,/n in absolute value. 

Proposition V.4.3 is the key to the continued fraction algorithm. It 
says that we can find a sequence of b;’s whose squares have small residues 
by taking the numerators of the convergents in the continued fraction ex- 
pansion of ./n. Note that we do not have to find the actual convergent: only 
the numerator b; is needed, and that is needed only modulo n. Thus, the 
fact that the numerator and denominator of the convergents soon become 
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very large does not worry us. We never need to work with integers larger 

than n? (when we multiply integers modulo n). 

We now describe in sequence how the continued fraction algorithm 
works. All we do is use the factor-base method in §3, except with Proposi- 
tion V.4.3 replacing random choice of the },’s. 

Continued fraction factoring algorithm. Let n be the integer to be 
factored. All computations below will be done modulo n, i.e., products and 
sums of integers will be reduced modulo n to their least nonnegative residue 
(or least absolute residue in step (3)). First set b-1 = 1, bp = ap = [Vn], 
and zp = /n — ao. Compute 62 mod n (which will be b2 — n). Next, for 
i = 1,2,... successively: 

1. Set a; = [1/z;_1] and then 2; = 1/z;-1 — aj. 

2. Set b; = a;bj_-1 + b;-2 (reduced modulo n). 

3. Compute b? mod n. After doing this for several i, look at the numbers in 
step 3 which factor into + a product of small primes. Take your factor 
base B to consist of —1, the primes which occur in more than one of the 
b? mod n (or which occur to an even power in just one b? mod n). Then 
list all of the numbers b? mod n which are B-numbers, along with the 
corresponding vectors €’; of zeros and ones. If possible, find a subset 
whose vectors sum to zero. Set b = [] 6; (working modulo n and taking 
the product over the subset for which }> €’; = 0). Set c = J] p;’, where 
p; are the elements of B (except for —1) and 7; = 3 > ai; (with the 
sum taken over the same subset of i; see §3). If b # tc mod n, then 
g.c.d.(b+c, n) is a nontrivial factor of n. If b = +c mod n, then look for 
another subset of i such that > e’; = 0. If it is not possible to find any 
subset of i such that }> ’, = 0, then you must continue computing 
more a;, b;, and b? mod n, enlarging your factor base B if necessary. 
Remark. In order to be able to compute c = [] py’, it is efficient if for 

each B-number b? mod n we record the vector @; = {...,aij,...}; rather 

than ~’;, which is simply a’; reduced modulo 2. 

Example 2. Use the above algorithm to factor 9073. 

Solution. We first make a list of successive a;’s and b,’s (where b; is 
the least nonnegative residue modulo n of a;b;-1 + b;-2), along with the 
corresponding least absolute residue modulo n of 6?: 


a 0 1 2 3 4 
a; 9 3 1 26 2 
b 95 286 381 1119 2619 


b? modn -48 139 -7 87 -27 


Looking at the last line of the table, we see that it is reasonable to set B = 
{—1, 2,3, 7}. Then b? mod n is a B-number for i = 0, 2, 4. The corresponding 
vectors @ ; are, respectively, {1, 4, 1,0}, {1, 0,0, 1}, and {1,0, 3,0}. The sum 
of the first and third is zero modulo 2. So let us choose b = 95-2619 = 
3834 mod 9073, and c = 2? - 3? = 36. Thus, 3834? = 36? mod 9073. 
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Since 3834 # +36 mod 9073, we obtain the nontrivial factor g.c.d.(3834 + 
36, 9073) = 43. Thus, 9073 = 43 - 211. 

Example 3. Factor 17873. 

Solution. As in Example 2, we start out with a table 


a 0 1 2 3 4 5 
a; 1331 2 4 2 3 
b: 133 1384 401 1738 3877 13369 


b? modn -184 83 -56 107 -64 161 


If we set B = {—1, 2,7, 23}, we have B-numbers when i = 0, 2, 4,5; the cor- 
responding vectors @; are, respectively, {1,3,0,1}, {1,3, 1,0}, {1,6,0, 0} 
and {0,0,1,1}. The sum of the first, second and fourth of these four vec- 
tors is zero modulo 2. However, if we compute b = 133 - 401 - 13369 = 
1288 mod 17873 and c = 23-7 - 23 = 1288, we find that b = c mod 17873. 
Thus, we must continue to look for more B-numbers with vectors that sum 
to zero modulo 2. Continuing the table, we have 


a 6 7 8 

ay 1 2 . 1 

b: 17246 12115 11488 
b? modn —-77 149 —88 


If we now enlarge B to include the prime 11, ie., B = {—1, 2,7, 11, 23}, 
then for i = 0,2,4,5,6,8 we obtain B-numbers with vectors a’; as fol- 
lows: {1,3,0,0,1}, {1,3,1,0,0}, {1,6,0,0,0}, {0,0,1,0,1}, {1,0,1, 1,0}, 
{1,3,0,1,0}. We now note that the sum of the second, third, fifth and 
sixth of these six vectors is zero modulo 2. This leads to b = 7272, c = 4928, 
and we finally find a nontrivial factor g.c.d.(7272 + 4928, 17873) = 61. We 
obtain: 17873 = 61 - 293. 


Exercises 


1. Find the continued fraction representation of the following rational 
numbers: (a) 45/89; (b) 55/89; (c) 1.13. 

2. (a) Suppose that x is a real number whose continued fraction expansion 
consists of the positive integer a repeated infinitely: 


bs a+ a+ a+ at 


What real number is z (written in a simple closed form)? 
(b) Prove that if a = 1 in part (a), then z is the golden ratio and 
the numerators and denominators of the convergents are Fibonacci 
numbers. 

3. Expand e in a continued fraction, and try to guess a pattern in the 
integers a;. 
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4. In the continued fraction algorithm explain why there is no need to 
include in the factor base B any primes p such that ey =-l. 

5. Following Examples 2 and 3, use the continued fraction algorithm to 
factor the following numbers: (a) 9509; (b) 13561; (c) 8777; (d) 14429; 
(e) 12403; (f) 14527; (g) 10123; (h) 12449; (i) 9353; (j) 25511; (k) 17873. 
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5 The quadratic sieve method 


The quadratic sieve method for factoring large integers, developed by 
Pomerance in the early 1980’s, for a long time was more successful than 
any other method in factoring integers n of general type which have no 
prime factor of order of magnitude significantly less than ./n. (For integers 
n having a special form there may be special purpose methods which are 
faster, and for n divisible by a prime much smaller than ,/n the elliptic 
curve factorization method in §VI.4 is faster. Also see the discussion of the 
number field sieve at the end of the section.) 

The quadratic sieve is a variant of the factor base approach discussed 
in §3. As our factor base B we take the set of all primes p < P (where P is 
some bound to be chosen in some optimal way) such that n is a quadratic 


residue mod p, i.e., (2) = 1 for p odd, and p = 2 is always included in 
B. The set of integers S in which we look for B-numbers (recall that a 
B-number is an integer divisible only by primes in B) will be the same set 


that we used in Fermat factorization (see §3), namely: 
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S$ ={P-n| [vn] +1<t< [va] +4} 


for some suitably chosen bound A. 

The main idea of the method is that, instead of taking each s € S 
one by one and dividing it by the primes p € B to see if it is a B-number, 
we take each p € B one by one and examine divisibility by p (and powers 
of p) simultaneously for all of the s € S. The word “sieve” refers to this 
idea. Here we should recall the “sieve of Eratosthenes,” which one can 
use to make a list of all primes p < A. For example, to list the primes 
< 1000 one takes the list of all integers < 1000 and then for each p = 
2, 3, 5, 7, 11, 13, 17, 19, 23, 29, 31 one discards all multiples of p greater than 
p — one “lets them fall through a sieve which has holes spaced a distance 
p apart” — after which the numbers that remain are the primes. 

We shall give an outline of a procedure to carry out the method, and 
then give an example. The particular version described below is only one 
possible variant, and it is not necessarily the most efficient one. Moreover, 
our example of a number n to be factored (and also the numbers to be 
factored in the exercises at the end of the section) will be chosen in the 
range ~ 10°, so as to avoid having to work with large matrices. However, 
such n are far too small to illustrate the time advantage of the sieve in 
finding a large set of B-numbers. 

Thus, suppose we have an odd composite integer n. 

1. Choose bounds P and A, both of order of magnitude roughly 


eV !o9 nloglog n 


Generally, A should be larger than P, but not larger than a fairly small 
power of P,e.g., P< A < P?. 

This function exp(/logn loglogn), which we encountered before in 
this chapter and which is traditionally denoted L(n), has an order of mag- 
nitude intermediate between polynomial in logn and polynomial in n. If 
n = 10°, then L(n) ~ 400. In the examples below, we shall choose P = 50, 
A= 500. 

2. For ¢ = [/n] +1, [/n] + 2,..., [\/n] + A, make a column listing 
the integers t? — n. 

3. For each odd prime p < P, first check that (2) = 1 (see 811.2); if 


not, then throw that p out of the factor base. 

4. Assuming that p is an odd prime such that n is a quadratic residue 
mod p (we'll treat the case p = 2 separately), solve the equation t? = 
n (mod p*) for 3 = 1,2,..., using the method in Exercise 20 of §II.2. Take 
increasing values of @ until you find that there is no solution t which is 
congruent modulo p’ to any integer in the range [\/n] +1<t<[/n]+A. 
Let G be the largest integer such that there is some t in this range for which 
t? = n (mod p®). Let t; and tz be two solutions of t? = n (mod p*) with 
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to = —t, (mod p*) (t, and tz are not necessarily in the range from [./n]+1 
to [/n] + A). 

5. Still with the same value of p, run down the list of t? — n from part 
2. In acolumn under p put a 1 next to all values of t? — n for which t differs 
from t; by a multiple of p, change the 1 to a 2 next to all values of t? —n 
for which t differs from t; by a multiple of p?, change the 2 to a 3 next to 
all values of t? — n for which ¢ differs from t, by a multiple of p*, and so on 
until p?. Then do the same with t replaced by ta. The largest integer that 
appears in this column will be (. 

6. As you go through the procedure in 5), each time you put down a 1 
or change a 1 to a 2, a 2 to a 3, etc., divide the corresponding t? — n by p 
and keep a record of what’s left. 

7. In the column p = 2, if n # 1 mod 8, then simply put a 1 next to the 
t? — n for t odd and divide the corresponding t? — n by 2. If n = 1 mod 8, 
then solve the equation t? = n (mod 2) and proceed exactly as in the case 
of odd p (except that there will be 4 different solutions t1, te, t3, tg modulo 
28 if B > 3). 

8. When you finish with all primes < P, throw out all of the t? —n 
except for those which have become 1 after division by all the powers of 
p <P. You will have a table of the form in Example 9 in §3, in which the 
column labeled ; will have the values of t, [/n]+1<t < [/n]+ A, for 
which ¢? — n is a B-number, and the other columns will correspond to all 
values of p < P for which n is a quadratic residue. 

9. The rest of the procedure is exactly as in §3. 


Example. Let us try to factor n = 1042387, taking the bounds P = 50 
and A = 500. Here [,/n] = 1020. Our factor base consists of the 8 primes 
{2, 3, 11,17, 19, 23, 43, 47} for which 1042387 is a quadratic residue. Since 
n # 1 (mod 8), the column corresponding to p = 2 alternates between 1 
and 0, with a 1 beside all odd t, 1021 < ¢ < 1520. 

We describe in detail how to form the column under p = 3. We 
want a solution ty = t190 + f11-°3+4ti2- 5 ty e-1° 38-1 to 
t? = 1042387 (mod 3°), where ti; € {0,1,2} (for the other solution t2 
we can take tg = 3% — t,). We can obviously take t;,9 = 1. (For each of 
our 8 primes the first step — solving t? = 1042387 (mod p) — can be 
done quickly by trial and error; if we were working with larger primes, 
we could use the procedure described at the end of §II.2.) Next, we work 
modulo 9: (1 + 3¢1,1)? = 1042387 = 7 (mod 9), i.e., 6t1,1 = 6 (mod 9), i-e., 
2t1,1 = 2 (mod 3), so ty, = 1. Next, modulo 27: (1+3+9t1,2)? = 1042387 = 
25 (mod 27), i.e., 16 + 18t1,2 = 25 (mod 27), i.e., 2t1,.2 = 1 (mod 3), so 
t1,2 = 2. Then modulo 81: (1+3+18+ 27t1,3)? = 1042387 = 79 (mod 81), 
which leads to t1,3 = 0. Continuing until 3”, we find the solution (in the no- 
tation of §I.1 for numbers written to the base 3): t; = (210211)3 (mod 37), 
and tz = (2012012)3 (mod 3”). However, there is no t between 1021 and 
1520 which is = t, or t2 modulo 3’. Thus, we have 8 = 6, and we can 
take t, = (210211); = 589 = 1318 (mod 36) and t, = 3°-t,; = 140 = 
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1112 (mod 3°) (note that there is no number in the range from 1021 to 
1520 which is = to (mod 3°)). 

We now construct our “sieve” for the prime 3 as follows. Starting from 
1318, we take jumps of 3 down until we reach 1021 and up until we reach 
1519, each time putting a 1 in the column, dividing the corresponding 
t? — n by 3, and recording the result of the division. (Actually, for t odd, 
the number we divide by 3 is half of t? —n, since we already divided t? —n by 
2 when we formed the column of alternating 0’s and 1’s under 2.) Then we 
do the same with jumps of 9, each time changing the 1 to 2 in the column 
under 3, dividing the quotient of t? — n by another 3, and recording the 
result. We go through the analogous procedure with jumps of 27, 81, 243, 
and 729 (there is no jump possible for 729 — we merely change the 5 to 
6 next to 1318 and divide the quotient of 1318?—1042387 by another 3). 
Finally, we go through the same steps with t2 = 1112 instead of t; = 1318, 
this time stopping with jumps of 243. 

After going through this procedure for the remaining 6 primes in our 
factor base, we have a 500 x 8 array of exponents, each row corresponding 
to a value of t between 1021 and 1520. Now we throw out all rows for which 
t? — n has not been reduced to 1 by repeated division by powers of p as we 
formed our table, i.e., we take only the rows for which t? — n is a B-number. 
In the present example n = 1042387 we are left with the following table 
(here blank spaces denote zero exponents): 


t vin 2 3 11 «17 19 23 43 47 
1021 54 13 --+- = =- - = 
1027 =: 12342 112 31-+- - - 
1030 =: 18513 - 22 1-- - = 
1061 83334 11- 1 2 - 1 - 
1112 = =194157 ae A Oe 
1129 = 232254 13 11 - 1 - - 
1148 275517 - 23 - - 1- = 
1175 338238 12 —- - 1 1 21 - 
1217 438702 113212 - 1- = 
1390 889713 - 22 - 1 - 1 - 
1520 1268013 - 1- 1 -+- 2 - #1 


Proceeding as we did in Example 9 in §3, we now look for relations modulo 
2 between the rows of this matrix. That is, moving down from the first 
row, we look for a subset of the rows which sums to an even number in 
each column. The first such subset we find here is the first three rows, the 
sum of which is twice the row 1321 — — — —. Thus, we obtain the 
congruence 


(1021 - 1027 - 1030)? = (2- 3° - 11? - 17)? (mod 1042387). 
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But despite our good fortune in finding a set of mod 2 linearly de- 
pendent rows so quickly, it turns out that we are not so lucky after 
all: the two numbers being squared in the above congruence are both 
= 111078 (mod 1042387), so we get only the trivial factorization. As we 
continue down the matrix, we find some other sets of dependent rows, 
which also fail to give us a nontrivial factorization. Finally, when we are 
about to give up — and start over again with a larger A — we notice 
that the last row — corresponding to our very last value of t — is depen- 
dent on the earlier rows. More precisely, it is equal modulo 2 to the fifth 
row. This gives us (1112 - 1520)? = (3° - 17 - 23 - 47)? (mod 1042387), ice., 
6478537 = 496179? (mod 1042387), and we obtain the nontrivial factor 
g.c.d.(647853 — 496179, 1042387) = 1487. 

Based on some plausible conjectures, one can show that the expected 
running time of the quadratic sieve factoring method is asymptotically 


O (ecroyier log log .) 


for any € > 0. There is a fairly large space requirement, also of the form 
exp(C'/log n log log n). For a detailed discussion of time and space require- 
ments for the quadratic sieve (and several other) factoring algorithms, see 
Pomerance’s article in the volume Computation Methods in Number The- 
ory. 

The number field sieve. Until recently, all of the contenders for the 
best general purpose factoring algorithm had running time of the form 


exp(O(1/log n log logn)). 


Some people even thought that this function of n might be a natural lower 
bound on the running time. However, during the last few years a new 
method — called the number field sieve — has been developed that has 
a heuristic running time that is much better (asymptotically), namely: 


exp(O((logn)'/3 (log log n)?/9)). 


In practice, it appears to be the fastest method for factoring numbers that 
are at or beyond the current (1994) upper limits of what can be factored, 
ie., > 150 digits. 

In some respects, the number field sieve factoring algorithm is similar 
to the earlier algorithms that attempt to combine congruences so as to 
obtain a relation of the form x? = y* (mod n). However, one uses a “factor 
base” in the ring of integers of a suitably chosen algebraic number field. 
Thus, along with the basic machinery of the quadratic sieve, this factoring 
method uses algebraic number theory. It is perhaps the most complicated 
factoring algorithm known. We shall give only an overview. 

The basic requirements of the algorithm can be briefly described as 
follows. Given an integer n to be factored, choose a degree d and find n as 
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the value at some integer m of an irreducible monic integer polynomial of 
degree d: 


n=f(m)= m? + ag_1m?! + ag_gm?-? +. --- 4am + ao, 


where m and the a, are integers that are O(n/ 4). One way to find such a 
polynomial is to let m be the integer part of the d-th root of n and then 
expand n to the base m. For 125-digit numbers an analysis of the algorithm 
suggests that d should be 5, so that m and the coefficients will have about 
25 digits. 

The number field sieve then searches (by a sieving process similar to 
the quadratic sieve) for as many pairs (a,b) as possible such that both 
a+ bm and also 


b¢ f(—a/b) 4 (—a)4 +ag-1(—a)* b+ ag—2(—a)4~7b* +-+-—a,ab4-! + agb4 


are smooth over a given factor base (i.e., are divisible only by primes in 
the factor base). The details of how this is done and how this leads to a 
factorization of n can be found in the book The Development of the Number 
Field Sieve cited in the references below. In order for this procedure to 
succeed, the proportion of smooth numbers among values of the polynomial 
f should be approximately the same as the proportion of smooth numbers 
among all numbers of the same size. Although this is likely to be true, and 
is true in all examples that have been computed, it seems to be a very 
hard assertion to prove. Since the estimate of running time depends on 
this unproved conjecture, it is a heuristic estimate. While perhaps of little 
consequence in practice for factoring actual numbers, this circumstance 
points to some important open problems in the analysis of the theoretical 
asymptotic complexity of factoring. 

The author would like to thank Joe Buhler for providing the above 
brief summary of the number field sieve for this book. 


Exercises 


1. Inthe example, find all linear dependence relations mod 2 between the 
rows of the matrix, and show that if P = 50 and A < 499 one cannot 
get a nontrivial factorization of 1042387 by this method. 

2. Let mn — oo, and suppose that P and A are always chosen to have the 
same order of magnitude (for example, suppose that there are positive 
constants c, and cg such that c, < log A/ log P < c2). Asymptotically, 
what is the most time-consuming part of steps 1)-7) in the above ver- 
sion of the quadratic sieve? Give a big-O estimate for the number of 
bit operations required by that step. 

3. Use the method in this section with P = 50 and A = 500 to factor: 
(a) 1046603, (b) 1059691, and (c) 998771. 
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VI 
Elliptic Curves 


In recent years a topic in number theory and algebraic geometry — ellip- 
tic curves (more precisely, the theory of elliptic curves defined over finite 
fields) — has found application in cryptography. The basic reason for this 
is that elliptic curves over finite fields provide an inexhaustible supply of 
finite abelian groups which, even when large, are amenable to computation 
because of their rich structure. Before (§IV.3) we worked with the multi- 
plicative groups of fields. In many ways elliptic curves are natural analogs 
of these groups; but they have the advantage that one has more flexibility 
in choosing an elliptic curve than in choosing a finite field. 

We shall start by presenting the basic definitions and facts about el- 
liptic curves. We shall include only the minimal amount of background 
necessary to understand the applications to cryptography in §§2-4, em- 
phasizing examples and concrete descriptions at the expense of proofs and 
generality. For systematic treatments of the subject, see the references at 
the end of §1. 


1 Basic facts 


In this section let K be a field. For us, K will be either the field R of real 
numbers, the field Q of rational numbers, the field C of complex numbers, 
or the finite field F, of gq = p” elements. 

Definition. Let K be a field of characteristic 4 2, 3, and let x3 +ax+b 
(where a,b € K) be a cubic polynomial with no multiple roots. An elliptic 


168 VI. Elliptic Curves 


curve over K is the set of points (x,y) with z,y € K which satisfy the 
equation 
yy =a +azr+b, (1) 


together with a single element denoted O and called the “point at infinity” 
(about which more will be said below). 

If K is a field of characteristic 2, then an elliptic curve over K is the 
set of points satisfying an equation of type either 


yto=a22+ar+b (2a) 


or else 
y+ay=2>+az?+b (2b) 


(here we do not care whether or not the cubic on the right has multiple 
roots) together with a “point at infinity” O. 

If K is a field of characteristic 3, then an elliptic curve over K is the 
set of points satisfying the equation 


y =x +azr*+br+ce (3) 


(where the cubic on the right has no multiple roots) together with a “point 
at infinity” O. 

Remarks. 1. There’s a general form of the equation of an ellipse which 
applies to any field: y* + ajzy + agy = 2° + agx” + agx + a6, which when 
char K # 2 can be transformed to y* = x? + az? + br +c (and to the 
form y? = x3 + bx +c if char K > 3). In the case when the field K has 
characteristic 2, this equation can be transformed either to (2a) or (2b). 

2. If we let F(x,y) = 0 be the implicit equation for y as a function 
of x in (1) (or (2), (3)), ic, F(z,y) = y? — 2? — ax —b (or F(z,y) = 
ytoyta2+artb, y2+acy+22 + ax +b, y? — 23 — ax? — br —c), then 
a point (x,y) on the curve is said to be non-singular (or a smooth point) 
if at least one of the partial derivatives OF /Ox, OF /Oy is nonzero at the 
point. (Derivatives of polynomials can be defined by the usual formulas over 
any field; see paragraph 5 at the beginning of Chapter JI.) It is not hard 
to show that the condition that the cubic on the right in (1) and (3) not 
have multiple roots is equivalent to requiring that all points on the curve 
be nonsingular. 

Elliptic curves over the reals. Before discussing some specific examples 
of elliptic curves over various fields, we shall introduce a centrally important 
fact about the set of points on an elliptic curve: they form an abelian group. 
In order to explain how this works visually, for the moment we shall assume 
that K = R, i.e., the elliptic curve is an ordinary curve in the plane (plus 
one other point O “at infinity”). 

Definition. Let E be an elliptic curve over the real numbers, and let P 
and Q be two points on E. We define the negative of P and the sum P+Q 
according to the following rules: 
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1. If P is the point at infinity O, then we define —P to be O and P+Q 
to be Q; that is, O serves as the additive identity (“zero element”) of 
the group of points. In what follows, we shall suppose that neither P 
nor Q is the point at infinity. 

2. The negative —P is the point with the same z-coordinate but negative 
the y-coordinate of P, ie., —(z,y) = (z,—y). It is obvious from (1) 
that (x, —y) is on the curve whenever (z, y) is. 

3. If P and Q have different x-coordinates, then it is not hard to see 
that the line 2 = PQ intersects the curve in exactly one more point R 
(unless that line is tangent to the curve at P, in which case we take 
R= P, or at Q, in which case we take R = Q). Then define P + Q to 
be —R, i.e., the mirror image (with respect to the z-axis) of the third 
point of intersection. The geometrical construction that gives P+ Q is 
illustrated in Example 1 below. 

4. If Q=—P (i.e., Q has the same z-coordinate but minus the y-coordi- 
nate), then we define P+ Q = O (the point at infinity). (This is forced 
on us by (2).) 

5. The final possibility is P = Q. Then let @ be the tangent line to the 
curve at P, let R be the only other point of intersection of @ with the 
curve, and define P+ Q = —R. (R is taken to be P if the tangent line 
has a “double tangency” at P, i.e., if P is a point of inflection.) 
Example 1. The elliptic 

curve y? = x°—z in the ry-plane 
is sketched to the right. The dia- 
gram also shows a typical case of 
adding points P and Q. To find 
P+Q one draws a chord through 
P and Q, and takes P+ Q to 
be the point symmetric (with re- 
spect to the z-axis) to the third 
point where the line through P 
and Q intersects the curve. If 
P and Q were the same point, 
ie., if we wanted to find 2P, 
we would use the tangent line 
to the curve at P; then 2P is 
the point symmetric to the third 
point where that tangent line in- 
tersects the curve. 

We now show why there is exactly one more point where the line @ 
through P and Q intersects the curve; at the same time we will derive a 
formula for the coordinates of this third point, and hence for the coordinates 
of P+Q. 

Let (71,41), (£2, y2) and (x3, y3) denote the coordinates of P, Q, and 
P+Q, respectively. We want to express x3 and y3 in terms of 21, yi, 22, Yo. 
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Suppose that we are in case (3) in the definition of P+Q, and let y = ar+f 
be the equation of the line through P and Q (which is not a vertical line in 
case (3)). Then a = (y2 — y1)/(z2 — £1), and B = y, — az. A point on £, 
i.e., a point (x, ax + f), lies on the elliptic curve if and only if (az + 8)? = 
z* + ax +b. Thus, there is one intersection point for each root of the cubic 
equation x° — (az + 8) + az + b. We already know that there are the two 
roots 2; and x2, because (1), a2; + 3), (Z2,az2 + B) are the points P, Q 
on the curve. Since the sum of the roots of a monic polynomial is equal to 
minus the coefficient of the second-to-highest power, we conclude that the 
third root in this case is x3 = a? — 21 — 22. This leads to an expression for 
23, and hence P + Q = (23, —(ax3 + 8)), in terms of 11, 22, y1, ya: 


= 2 
r3 = (2—*) — ©) — 22; 


ioe (4) 
yg = Yi + (2 )@ — 23). 


The case (5) when P = Q is similar, except that a is now the derivative 
dy/dz at P. Implicit differentiation of Equation (1) leads to the formula a = 
(3x? + a)/2y,, and so we obtain the following formulas for the coordinates 


of twice P: Aces 
ry +a 
r3 = (——*) — 22; 
ait (Mi+*) (2 Sie 
¥3 1 yi 1 3): 


Example 2. On the elliptic curve y* = z° — 362 let P = (—3,9) and 
Q = (2,8). Find P+ Q and 2P. 

Solution. Substituting 2; = —3, y, = 9, 2 = —2, ye = 8 in the first 
equation in (4) gives x3 = 6; then the second equation in (4) gives y3 = 0. 
Next, substituting 2; = —3, y; = 9, a = —36 in the first equation in (5) 
gives 25/4 for the x-coordinate of 2P; then the second equation in (5) gives 
—35/8 for its y-coordinate. 

There are several ways of proving that the above definition of P + Q 
makes the points on an elliptic curve into an abelian group. One can use 
an argument from projective geometry, a complex analytic argument with 
doubly periodic functions, or an algebraic argument involving divisors on 
curves. See the references at the end of the section for proofs of each type. 

As in any abelian group, we use the notation nP to denote P added 
to itself n times if n is positive, and otherwise —P added to itself |n| times. 

We have not yet said much about the “point of infinity” O. By defi- 
nition, it is the identity of the group law. In the diagram above, it should 
be visualized as sitting infinitely far up the y-axis, in the limiting direction 
of the ever-steeper tangents to the curve. It is the “third point of intersec- 
tion” of any vertical line with the curve; that is, such a line has points of 
intersection of the form (7,41), (v1, —y1) and O. A more natural way to 
introduce the point O is as follows. 
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By the projective plane we mean the set of equivalence classes of triples 
(X,Y, Z) (not all components zero) where two triples are said to be equiv- 
alent if they are a scalar multiple of one another, ie., (AX,AY,AZ) ~ 
(X,Y, Z). Such an equivalence class is called a projective point. If a pro- 
jective point has nonzero Z, then there is one and only one triple in its 
equivalence class of the form (z, y, 1): simply set z = X/Z, y = Y/Z. Thus, 
the projective plane can be identified with all points (z, y) of the ordinary 
(“affine”) plane plus the points for which Z = 0. The latter points make 
up what is called the line at infinity; roughly speaking, it can be visualized 
as the “horizon” on the plane. Any equation F(z,y) = 0 of a curve in the 
affine plane corresponds to an equation F(X,Y,Z) = 0 satisfied by the 
corresponding projective points: simply replace z by X/Z and y by Y/Z 
and multiply by a power of Z to clear the denominators. For example, if 
we apply this procedure to the affine equation (1) of an elliptic curve, we 
obtain its “projective equation” Y?Z = X3+aX Z?+bZ?. This latter equa- 
tion is satisfied by all projective points (X,Y, Z) with Z 4 0 for which the 
corresponding affine points (z,y), where c = X/Z, y = Y/Z, satisfy (1). 
In addition, what projective points (X,Y, Z) on the line at infinity satisfy 
the equation F = 0? Setting Z = 0 in the equation leads to 0 = X, ice., 
X = 0. But the only equivalence class of triples (X,Y, Z) with both X and 
Z zero is the class of (0, 1,0). This is the point we call O. It is the point on 
the intersection of the y-axis with the line at infinity. 

Elliptic curves over the complexes. The algebraic formulas (4)-(5) for 
adding points on an elliptic curve over the reals actually make sense over 
any field. (If the field has characteristic 2 or 3, one derives similar equations 
starting from Equation (2) or (3).) It can be shown that these formulas give 
an abelian group law on an elliptic curve over any field. 

In particular, let E be an elliptic curve defined over the field C of 
complex numbers. Thus, EF is the set of pairs (x,y) of complex numbers 
satisfying Equation (1), together with the point at infinity O. Although 
E is a “curve,” if we think in terms of familiar geometrical pictures, it 
is 2-dimensional, i.e., it is a surface in the 4-real-dimensional space whose 
coordinates are the real and imaginary parts of x and y. We now describe 
how E can be visualized as a surface. 

Let L be a lattice in the complex plane. This means that L is the 
abelian group of all integer combinations of two complex numbers w, and 
we (where w, and w2 span the plane, i.e., do not lie on the same line through 
the origin): L = Zw, + Zw2. For example, if w; = 1 and we = i, then L 
is the Gaussian integers, the square grid consisting of all complex numbers 
with integer real and imaginary parts. 

Given an elliptic curve (1) over the complex numbers, it turns out 
that there exist a lattice L and a complex function, called the “Weierstrass 
g-function” and denoted g,(z), which has the following properties. 

1. (z) is analytic except for a double pole at each point of L; 
2. (z) satisfies the differential equation g’* = g? +ap+b, and hence for 
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any z ¢ L the point (g(z), 9’(z)) lies on the elliptic curve E; 

3. two complex numbers z; and z2 give the same point (¢(z), 9’(z)) on 
E if and only if z, — zo € L; 

4. the map that associates any z ¢ L to the corresponding point ((z), 
g’(z)) on E and associates any z € L to the point at infinity O € 
E gives a 1-to-1 correspondence between E and the quotient of the 
complex plane by the subgroup L (denoted C/L); 

5. this 1-to-1 correspondence is an isomorphism of abelian groups. In 
other words, if 2, corresponds to the point P € E and z2 corresponds 
to Q € EF, then the complex number z, + z2 corresponds to the point 
P+Q. 

Thus, we can think of the abelian group E as equivalent to the complex 
plane modulo a suitable lattice. To visualize the latter group, note that 
every equivalence class z + L has one and only one representative in the 
“fundamental parallelogram” consisting of complex numbers of the form 
aw, + bw2, 0 < a,b < 1 (for example, if L is the Gaussian integers, the 
fundamental parallelogram is the unit square). Since opposite points on 
the parallel sides of the boundary of the parallelogram differ by a lattice 
point, they are equal in C/L. That is, we think of them as “glued together.” 
If we visualize this — folding over one side of the parallelogram to meet 
the opposite side (obtaining a segment of a cylinder) and then folding over 
again and gluing the opposite circles — we see that we obtain a “torus” 
(donut), pictured below. 
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As a group, the torus is the product of two copies of a circle, i.e., 
its points can be parametrized by ordered pairs of angles (a, 3). (More 
precisely, if the torus was obtained from the lattice L = Zw, + Zwe, then 
we write an element in C/L in the form aw; + bw2 and take a = 27a, 
8 = 2b.) Thus, we can think of an elliptic curve over the complex numbers 
as a generalization to two real dimensions of the circle in the real plane. 
In fact, this analogy goes much farther than one might think. The “elliptic 
functions” (which tell us how to go back from a point (z,y) € E to the 
complex number z for which (z,y) = (g(z), 9’(z))) turn out to have some 
properties analogous to the familiar function Arcsin (which tells us how to 
go back from a point on the unit circle to the real number that corresponds 
to that point when we “wrap” the real number line around the circle). In 
the algebraic number theory of elliptic curves, one finds a deep analogy 
between the coordinates of the “n-division points” on an elliptic curves 
(the points P such that nP is the identity O) and the n-division points on 
the unit circle (which are the n-th roots of unity in the complex plane). See 
the references at the end of the section for more information on this, and 
for the definition of the Weierstrass ¢-function and proofs of its properties. 

Elliptic curves over the rationals. In Equation (1), if a and 6 are ra- 
tional numbers, it is natural to look for rational solutions (z,y), i.e., to 
consider the elliptic curve over the field Q of rational numbers. There is 
a vast theory of elliptic curves over the rationals. It turns out that the 
abelian group is finitely generated (the Mordell theorem). This means that 
it consists of a finite “torsion subgroup” (the points of finite order) plus 
the subgroup generated by a finite number of points of infinite order. The 
number of generators needed for the infinite part is called the rank r; it is 
zero if and only if the entire group is finite. The study of the rank r and 
other features of the group of an elliptic curve over Q is related to many in- 
teresting questions in number theory and algebraic geometry. For example, 
a question asked since ancient times — “Given a positive integer n, when 
does there exist a right triangle with rational sides whose area is n?” — 
turns out to be equivalent to the question “Is the rank of the elliptic curve 
y’? = x — nz greater than zero?” The case n = 6 and the 3 — 4 — 5 right 
triangle lead to the point P in Example 2, which is a point of infinite order 
on the curve y? = x? — 36z. For more information on this subject, we again 
refer the reader to the references at the end of the section. 

Points of finite order. The order N of a point P on an elliptic curve is 
the smallest positive integer such that NP = O; of course, such a finite NV 
need not exist. It is often of interest to find points P of finite order on an 
elliptic curve, especially for elliptic curves defined over Q. 

Example 3. Find the order of P = (2,3) on y? = 2° +1. 

Solution. Using (5), we find that 2P = (0,1), and using (5) again gives 
4P = 2(2P) = (0,-1). Thus, 4P = —2P, and so 6P = O. Thus, the order 
of P is 2, 3 or 6. But 2P = (0,1) # O, and if P had order 3, then 4P = P, 
which is not true. Thus, P has order 6. 
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Elliptic curves over a finite field. For the rest of this section we shall 
let K be the finite field F, of g = p” elements. Let EF be an elliptic curve 
defined over Fy. If p = 2 or 3, then E is given by an equation of the form 
(2) or (3), respectively. 

It is easy to see that an elliptic curve can have at most 2qg+1 F,-points, 
ie., the point at infinity along with 2q pairs (x,y) with z,y € F, which 
satisfy (1) (or (2) or (3) if p = 2 or 3). Namely, for each of the q possible 
zx’s there are at most 2 y’s which satisfy (1). 

But since only half of the elements of Fj have square roots, one would 
expect (if 2° + ax + b were random elements of the field) that there would 
be only about half that number of F,-points. More precisely, let + be the 
quadratic character of F,. This is the map which takes x € Fj to +1 
depending on whether or not x has a square root in F, (and we take x(0) = 
0). For example, if g = p is a prime, then x(x) = (3) is the Legendre symbol 
(see § 11.2). Thus, in all cases the number of solutions y € F, to the equation 
y” = wis equal to 1+ x(u), and so the number of solutions to (1) (counting 
the point at infinity) is 


1+ So (1+ x(a +a0+6)) =G+14+ D> x(2* + ar+0). (6) 
zeF, ceF, 


We would expect that x(z?+ax+b) would be equally likely to be +1 and —1. 
Taking the sum is much like a “random walk”: toss a coin g times, moving 
one step forward for heads, one step backward for tails. In probability theory 
one computes that the net distance traveled after gq tosses is of the order of 
/q. The sum 55 x(x? + ax + b) behaves a little like a random walk. More 
precisely, one finds that this sum is bounded by 2,/q. This result is Hasse’s 
Theorem; for a proof, see § V.1 of Silverman’s book on elliptic curves cited 
in the references. 

Hasse’s Theorem. Let N be the number of F,-points on an elliptic 
curve defined over F,. Then 


IN — (q¢+1)| < 24. 


In addition to the number N of elements on an elliptic curve defined 
over F,, we might want to know the actual structure of the abelian group. 
This abelian group is not necessarily cyclic, but it can be shown that it 
is always a product of two cyclic groups. This means that it is isomorphic 
to a product of p-primary groups of the form Z/p*Z x Z/p°Z, where the 
product is taken over primes dividing N (here a > 1, 3 > 0). By the type of 
the abelian group of F,-points on E, we mean a listing (...,p%, p,.. -)pIN 
of the orders of the cyclic p-primary factors (we omit p* when @ = 0). It is 
not always easy to find the type. 

Example 4. Find the type of y? = x3 — x over F7. 

Solution. We first find the number of points N. In (6) we notice 
that in the sum the term for z and the term for —z cancel, because 
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x((—z)8 —(—2)) = x(—1)x(z3-2), and x(-1) = —1 because 71 = 3 mod 4. 
Thus, N = q+1 = 72. Notice that there are exactly four points of or- 
der 2 (including the identity O), because they correspond to the roots of 
x? — x = x(x — 1)(x + 1) (see Exercise 4(a) below). This means that the 
2-primary part of the group has type (4, 2), and so the type of the group is ei- 
ther (4, 2,3, 3) or else (4, 2,9), depending on whether there are 9 or 3 points 
of order 3, respectively. So it remains to determine whether or not there 
can be 9 points of order 3. Note that for any P # O the equation 3P = O 
is equivalent to 2P = +P, i.e., to the condition that the z-coordinates of P 
and 2P be the same. By (5), this means that ((32? — 1)/2y)? — 22 = g, i.e., 
(3a? —1)? = 12ay? = 1224 — 122? Simplifying, we obtain 324 — 6a? —1 = 0. 
There are at most 4 roots to this equation in F7;. If there are four roots, 
then each root can give at most 2 points (by taking y = +Vz3 — cif z?-z 
has a square root modulo 71), and so we may in this way obtain 9 points 
of order 3 (including the identity O at infinity). Otherwise, there must be 
fewer than 9 points of order 3 (and hence exactly 3 points of order 3). But 
if the root x of the quartic polynomial has rz? — z a square modulo 71, 
then the root —z of the quartic has (—a)? — (—r) = —(x* — z) a nonsquare 
modulo 71. Thus, we cannot get 9 points of order 3, and so the type of the 
group is (4, 2, 9). 

Extensions of finite fields, and the Weil conjectures. If an elliptic curve 
E is defined over F4, then it is also defined over Fg for r = 1,2,..., and so 
it is meaningful to consider the F,r-points, i.e., to look at solutions of (1) 
over extension fields. If we start out with F, as the field over which E is 
defined, we let N, denote the number of Fyr-points on E. (Thus, N; = N 
is the number of points with coordinates in our “ground field” F,.) 

From the numbers N, one forms the “generating series” Z(T; E/F 4), 
which is the formal power series in Q|[T]] defined by setting 


2(T; E/F,) <en (7) 


in which T is an indeterminate, the notation E/F, designates the elliptic 
curve and the field we’re taking as our ground field, and the sum on the 
right is over all r = 1,2,... . It can be shown that the series on the right 
(obtained by taking the infinite product of the exponential power series 
eN-T"/T) actually has positive integer coefficients. This power series is called 
the zeta-function of the elliptic curve (over F,), and is a very important 
object associated with E. 

The “Weil conjectures” (now a theorem of P. Deligne) say in a much 
more general context (algebraic varieties of any dimension) that the zeta- 
function has a very special form. In the case of an elliptic curve E/F, Weil 
proved the following. 

Weil conjectures [theorem] for an elliptic curve. The zeta-function is 
a rational function of T having the form 
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1-—aT + qT? 


Z(T; E/F,) = and’ (8) 


where only the integer a depends on the particular elliptic curve E. The 
value a is related to N = N, as follows: N=q+1-<a. In addition, the 
discriminant of the quadratic polynomial in the numerator is negative (i.e., 
a? < 4q, which is Hasse’s Theorem) and so the quadratic has two complex 
conjugate roots a, B both of absolute value \/q. (More precisely, 1/a and 
1/G are the roots, and a, B are the “reciprocal roots. ”) 

For a proof, see § V.2 of Silverman’s book. 

Remark. If we write the numerator of (8) in the form (1—aT)(1—T) 
and then take the derivative of the logarithm of both sides (replacing the 
left side by its definition (7)), we soon see that the formula (8) is equivalent 
to writing the sequence of relations 


N,=q' +1-a"- 8", r=1,2,.... 


Since a@ and £, along with a, are determined once you know N = Nj, 
this means that the number of points over F, uniquely determines the 
number of points over any extension field. Thus, among other things, Weil’s 
conjectures for elliptic curves are useful for determining the number of 
points over extension fields of large degree. 

Example 5. The zeta-function of the elliptic curve y? + y = z° over 
F. is easily computed from the fact that there are three F2-points. It is 
(1 + 2T?)/(1 —T)(1 — 27), i-e., the reciprocal roots of the numerator are 
+i,/2. This leads to the formula 


27 +41, if r is odd; 
Noe { 27 4+1-2(-2)"/2, ifr is even. (9) 


To conclude this section, we remark that there are many analogies 
between the group of F,-points on an elliptic curve and the multiplicative 
group (F,)*. For example, they have approximately the same number of 
elements, by Hasse’s Theorem. But the former construction of an abelian 
group has a major advantage that explains its usefulness in cryptography: 
for a single (large) q there are many different elliptic curves and many 
different N that one can choose from. Elliptic curves offer a rich source of 
“naturally occurring” finite abelian groups. We shall take advantage of this 
in the next three sections. 


Exercises 


1. If E is an elliptic curve defined over C whose equation (1) actually has 
coefficients a,b € R, then the points of E with real coordinates form 
a subgroup. What are the possible subgroups of the complex curve E 
(which as a group is isomorphic to the product of the circle group with 
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itself) which can occur as the group of real points? Give an example 
of each. 


2. How many points P of order n (ie., nP = O) are there on an elliptic 
curve defined over C? How about on an elliptic curve over R? 

3. Give an example of an elliptic curve over R. which has exactly 2 points 
of order 2, and another example which has exactly 4 points of order 2. 

4. Let P be a point on an elliptic curve over R. Suppose that P is not 
the point at infinity. Give a geometric condition that is equivalent to 
P being a point of order (a) 2; (b) 3; (c) 4. 

5. Each of the following points has finite order on the given elliptic curve 
over Q. In each case, find the order of P. 

(a) P = (0,16) on y? = x? + 256. 

(b) P=(§,$) ony? = 23 + da. 

(c) P = (3,8) on y? = 2 — 43x + 166. 

(d) P = (0,0) on y? + y = 2° — a? (which can be written in the form 
(1) by making the change of variables y — y — $, 7 —> x + 3). 

6. Derive addition formulas similar to (4)-(5) for elliptic curves in char- 
acteristic 2, 3 (see Equations (2)—(3)). 

7. Prove that there are q+ 1 F,-points on the elliptic curve 
(a) y? = 23 — x when g = 3 mod 4; 

(b) y? = x? — 1 when q = 2 mod 3 (where q is odd); 
(c) y2+y = 2° when g = 2 mod 3 (q may be even here). 

8. For all odd prime powers g = p” up to 27 find the order and type of the 
group of F,-points on the elliptic curves y? = 3 — x and y? = 2° —- 1 
(in the latter case when p # 3). In some cases you will have to check 
how many points have order 3 or 4. 

9. Let q = 2", and let the elliptic curve E over F, have equation y* + y = 
x, 

(a) Express the coordinates of —P and 2P in terms of the coordinates 
of P. 

(b) If g = 16, show that every P € E is a point of order 3. 

(c) Show that any point of E with coordinates in Fj, actually has 
coordinates in F4. Then use Hasse’s Theorem with q = 4 and 16 to 
determine the number of points on the curve. 

10. Compute the zeta-functions of the two curves in Exercise 8 over F, for 
p =5,7, 11, 13. 

11. Compute the zeta function of the curve y* + y = 2? ~z+1 over F, 
for p = 2 and 3. (First show that N, = 1 in both cases.) Letting 
N(x) = x-& denote the norm of a complex number, find a simple 
formula for N,.. 
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2 Elliptic curve cryptosystems 


In §IV.3 we saw how the finite abelian group Fj — the multiplicative group 
of a finite field — can be used to create public key cryptosystems. More 
precisely, it was the difficulty of solving the discrete logarithm problem in 
finite fields that led to the cryptosystems discussed in §IV.3. The purpose 
of this section is to make analogous public key systems based on the finite 
abelian group of an elliptic curve E' defined over Fy. 

Before introducing the cryptosystems themselves, there are some pre- 
liminary matters that must be discussed. 

Multiples of points. The elliptic curve analogy of multiplying two ele- 
ments of F{ is adding two points on E, where E is an elliptic curve defined 
over F,. Thus, the analog of raising to the k-th power in F is multiplication 
of a point P € FE by an integer k. Raising to the k-th power in a finite field 
can be accomplished by the repeated squaring method in O(log k log*q) bit 
operations (see Proposition II.1.9). Similarly, we shall show that the mul- 
tiple kP € E can be found in O(log k log?q) bit operations by the method 
of repeated doubling. 

Example 1. To find 100P we write 100P = 2(2(P + 2(2(2(P+2P))))), 
and end up performing 6 doublings and 2 additions of points on the curve. 

Proposition VI.2.1. Suppose that an elliptic curve E is defined by a 
Weierstrass equation (equation (1), (2) or (3) in the last section) over a 
finite field Fz. Given P € E, the coordinates of kP can be computed in 
O(log k log*q) bit operations. 

Proof. Note that there are fewer than 20 computations in F, (multi- 
plications, divisions, additions, or subtractions) involved in computing the 
coordinates of a sum of two points by means of equations (4)-(5) (or the 
analogous equations in Exercise 6 of §1). Thus, by Proposition II.1.9, each 
such addition (or doubling) of points takes time O(log?q). Since there are 
O(log k) steps in the repeated doubling method (see the proof of Propo- 
sition 1.3.6), we conclude that the coordinates of KP can be calculated in 
O(log k log?q) bit operations. 

Remarks. 1. The time estimate in Proposition VI.2.1 is not the best 
possible, especially in the case when our finite field has characteristic p = 2. 
But we shall be satisfied with the estimates that result from using the most 
obvious algorithms for arithmetic in finite fields. 
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2. If we happen to know the number N of points on our elliptic curve E, 
and if k > N, then since NP = O we can replace k by its least nonnegative 
residue modulo N before computing kP; in this case we can replace the 
time estimate by O(log4g) (recall that N < g+1+ 2,/q = O(q)). There 
is an algorithm due to René Schoof which computes N in O(log®q) bit 
operations. 


Imbedding plaintexts. We shall want to encode our plaintexts as points 
on some given elliptic curve E defined over a finite field F,. We want to 
do this in a simple systematic way, so that the plaintext m (which we 
may regard as an integer in some range) can readily be determined from 
knowledge of the coordinates of the corresponding point P,,. Notice that 
this “encoding” is not the same thing as encryption. Later we shall discuss 
ways to encrypt the plaintext points P,,. But an authorized user of the 
system must be able to recover m after deciphering the ciphertext point. 

There are two remarks that should be made here. In the first place, 
there is no polynomial time (in logq) deterministic algorithm known for 
writing down a large number of points on an arbitrary elliptic curve E 
over F,. However, there are probabilistic algorithms for which the chance 
of failure is very small, as we shall see below. In the second place, it is not 
enough to generate random points of E: in order to encode a large number 
of possible messages m, we need a systematic way to generate points that 
are related to m in some way, for example, the z-coordinate has a simple 
relationship to the integer m. 

Here is one possible probabilistic method to imbed plaintexts as points 
on an elliptic curve E defined over F,, where g = p” is assumed to be large 
(and odd; see Exercise 8 below for g = 2”). Let & be a large enough integer 
so that we are satisfied with a failure probability of 1 out of 2” when we 
attempt to imbed a plaintext message unit m; in practice k = 30 or at 
worse & = 50 should suffice. We suppose that our message units m are 
integers 0 < m < M. We also suppose that our finite field is chosen so that 
q > Mk. We write the integers from 1 to Mx in the form mk + j, where 
1 <j <k«, and we set up a 1-to-1 correspondence between such integers 
and a set of elements of F,. For example, we write such an integer as an 
r-digit integer to the base p, and take the r digits, considered as elements 
of Z/pZ, as the coefficients of a polynomial of degree r — 1 corresponding to 
an element of F,. That is, the integer (a,_14,-2--+@1@9)p corresponds to 
the polynomial yu a;X4, which, considered modulo some fixed degree-r 
irreducible polynomial over F,, gives an element of Fy. 

Thus, given m, for each j = 1,2,...,« we obtain an element zx of F, 
corresponding to mk + j. For such an x, we compute the right side of the 
equation 

y’? = f(z) =22 +ar+, 


and try to find a square root of f(z) using the method explained at the end 
of §II.2. (Although the algorithm was given for the prime field F,, it carries 
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over word for word to any finite field F,. In order to use it we must have 
a nonsquare g in the field, which can easily be found by a probabilistic 
algorithm.) If we find a y such that y? = f(x), we take P,, = (z,y). If 
it turns out that f(x) is a nonsquare, then we increment j by 1 and try 
again with the corresponding x. Provided we find an x for which f(x) is a 
square before j gets bigger than x, we can recover m from the point (sz, y) 
by the formula m = [(z —1)/ K] , where Z is the integer corresponding to 
x under the 1-to-1 correspondence between integers and elements of Fy. 
Since f(x) is a square for approximately 50% of all z, there is only about 
a 2-* probability that this method will fail to produce a point P,, whose 
zx-coordinate corresponds to an integer Z between mk+1 and mk+k. (More 
precisely, the probability that f(z) is a square is essentially equal to N/2q; 
but N/2q is very close to 1/2.) 

Discrete log on E. In §IV.3 we discussed public key cryptosystems 
based on the discrete logarithm problem in the multiplicative group of a 
finite field. Now we do the same in the group (under addition of points) of 
an elliptic curve E defined over a finite field Fy. 

Definition. If FE is an elliptic curve over F, and B is a point of E, then 
the discrete log problem on E (to the base B) is the problem, given a point 
P € E, of finding an integer x € Z such that xB = P if such an integer x 
exists. 

It is likely that the discrete log problem on elliptic curves will prove 
to be more intractible than the discrete log problem in finite fields. The 
strongest techniques developed for use in finite fields do not seem to work 
on elliptic curves. This is especially true in the case of characteristic 2. 
As explained in Odlyzko’s survey article cited in the references, special 
methods for solving the discrete log problem in F3, make it relatively easy 
to compute discrete logs, and hence break the cryptosystems discussed in 
§IV.3, unless r is chosen to be rather large. It seems that the analogous 
systems using elliptic curves defined over F2- (see below) will be secure with 
significantly smaller values of r. Since there are practical reasons (relating 
to both computer hardware and software) for preferring to do arithmetic 
over the fields F2-, the public key cryptosystems discussed below may turn 
out to be more convenient in applications than the systems based on the 
discrete log problem in F9. 

Until 1990, the only discrete log algorithms known for an elliptic curve 
were the ones that work in any group, irrespective of any particular struc- 
ture. These are exponential time algorithms, provided that the order of the 
group is divisible by a large prime factor. But then Menezes, Okamoto, and 
Vanstone found a new approach to the discrete log problem on an elliptic 
curve E defined over F,. Namely, they used the Weil pairing (see §III.8 of 
Silverman’s textbook cited in the references to §1) to imbed the group E 
into the multiplicative group of some extension field Fj.. This imbedding 
reduces the discrete log problem on FE to the discrete log problem in F%,.. 

However, in order for the Weil pairing reduction to help, it is essential 
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for the extension degree k to be small. Essentially the only elliptic curves for 
which k is small are the so-called “supersingular” elliptic curves, the most 
familiar examples of which are curves of the form y? = z?-+ az when the 
characteristic p of F, is = —1 (mod 4), and curves of the form y? = 2° +b 
when p = —1 (mod 3). The vast majority of elliptic curves, however, are 
nonsupersingular. For them, the reduction almost never leads to a subex- 
ponential algorithm (see my paper in Journal of Cryptology cited in the 
references). 


Thus, a key advantage of elliptic curve cryptosystems is that no subex- 
ponential algorithm is known that breaks the system, provided that we 
avoid supersingular curves and also curves whose order has no large prime 
factor. 


We now describe analogs of the public key systems in §IV.3 based on 
the discrete log problem on an elliptic curve FE defined over a finite field 
Fy. 


Analog of the Diffie-Helman key exchange. Suppose that Aida and 
Bernardo want to agree upon a key which will later be used in conjunction 
with a classical cryptosystem. They first publicly choose a finite field F, 
and an elliptic curve E defined over it. Their key will be constructed from 
a random point P on the elliptic curve. For example, if they have a random 
point P € E, then taking the z-coordinate of P gives a random element of 
F,, which can then be converted to a random r-digit base-p integer (where 
q = p") which serves as the key to their classical cryptosystem. (Here we’re 
using the word “random” in an imprecise sense; all we mean is that its choice 
is arbitrary and unpredictable in a large set of admissible keys.) Their task 
is to choose the point P in such a way that all of their communication with 
one another is public and yet no one other than the two of them knows 
what P is. 

Aida and Bernardo first publicly choose a point B € E to serve as 
their “base.” B plays the role of the generator g in the finite—field Diffie— 
Hellman system. However, we do not want to insist that B be a generator 
of the group of points on E. In fact, the latter group may fail to be cyclic. 
Even if it is cyclic, we want to avoid the effort of verifying that B is a 
generator (or even determining the number N of points, which we do not 
need to know in what follows). We would like the subgroup generated by B 
to be large, preferably of the same order of size as E itself. This question 
will be discussed later. For now, let us suppose that B is a fixed publicly 
known point on E whose order is very large (either N or a large divisor of 
N). 

To generate a key, first Aida chooses a random integer a of order of 
magnitude q (which is approximately the same as N), which she keeps 
secret. She computes aB € E, which she makes public. Bernardo does the 
same: he chooses a random b and makes public bB € E. The secret key they 
use is then P = abB € E. Both users can compute this key. For example, 
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Aida knows bB (which is public knowledge) and her own secret a. However, 
a third party knows only aB and bB. Without solving the discrete logarithm 
problem — finding a knowing B and aB (or finding b knowing B and bB) 
— there seems to be no way to compute abB knowing only aB and bB. 

Analog of Massey-Omura. As in the finite—field situation, this is a 
public key cryptosystem for transmitting message units m, which we now 
suppose have been imbedded as points P,, on some fixed (and publicly 
known) elliptic curve E over F, (where q is large). We also suppose that the 
number N of points on E has been computed (and is also publicly known). 
Each user of the system secretly selects a random integer e between 1 and 
N such that g.c.d.(e, N) = 1 and, using the Euclidean algorithm, computes 
its inverse d = e~! mod N, i.e., an integer d such that de = 1 mod N. If 
Alice wants to send the message P,, to Bob, first she sends him the point 
€aPm (where the subscript A denotes the user Alice). This means nothing 
to Bob, who, knowing neither d4 nor e,, cannot recover P,,. But, without 
attempting to make sense of this point, he multiplies it by his eg, and sends 
epeaPm back to Alice. The third step is for Alice to unravel the message 
part of the way by multiplying the point ege4P, by da. Since NP, = O 
and dae, = 1 mod N, this gives the point eg P,, which Alice returns to 
Bob, who can read the message by multiplying the point eg P,, by dg. 

Notice that an eavesdropper would know e4Pm, epeAPm and epPm. 
If (s)he could solve the discrete log problem on E, (s)he could determine 
eg from the first two points and then compute dg = ep mod N and 
Pin = dp(epPm). 

Analog of ElGamal. This is another public key cryptosystem for trans- 
mitting messages P,,. As in the key exchange system above, we start with 
a fixed publicly known finite field F,, elliptic curve E defined over it, and 
base point B € E. (We do not need to know the number of points N.) Each 
user chooses a random integer a, which is kept secret, and computes and 
publishes the point aB. 

To send a message P,, to Bjorn, Aniuta chooses a random integer k 
and sends the pair of points (kB, Pm +k(agB)) (where agB is Bjérn’s 
public key). To read the message, Bjérn multiplies the first point in the 
pair by his secret ag and subtracts the result from the second point: 


Pin + k(apB) -_ ap(kB) =P... 


Thus, Aniuta sends a disguised P,, along with a “clue” kB which is enough 
to remove the “mask” kagB if one knows the secret integer ag. An eaves- 
dropper who can solve the discrete log problem on EF can, of course, deter- 
mine ag from the publicly known information B and agB. 

The choice of curve and point. There are various ways of choosing an 
elliptic curve and (in the Diffie-Hellman and ElGamal set-up) a point B 
on it. 

Random selection of (EZ, B). Once we choose our large finite field F,, 
we can choose both EF and B = (a, y) € E at the same time as follows. (We 
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shall assume that the characteristic is > 3, so that elliptic curves are given 
by equation (1) in §1; one makes the obvious modifications if g = 2” or 3”.) 
First let x, y,a be three random elements of F,. Then set b = y*—(x*+az). 
Check that the cubic x? + ax + 6 does not have multiple roots, which is 
equivalent to: 4a + 27b? # 0. (If this condition is not met, make another 
random choice of z,y,a.) Set B = (x,y). Then B is a point on the elliptic 
curve y2 = 2? +ar+. 

If you need to know the number N of points, there are several tech- 
niques now available for computing N. The first polynomial time algorithm 
to compute #E was discovered by René Schoof. Schoof’s algorithm is even 
deterministic. It is based on the idea of finding the value of #E modulo | 
for all primes | less than a certain bound. This is done by examining the 
action of the “Frobenius” (the p-th power map) on points of order 1. 

In Schoof’s original paper the bound for running time was essentially 
O(log® q), which is polynomial but quite unpleasant. At first it looked like 
the algorithm was not practical. However, since then many people have 
worked on speeding up Schoof’s algorithm (V. Miller, N. Elkies, J. Buch- 
mann, V. Miiller, A. Menezes, L. Charlap, R. Coley, and D. Robbins). In 
addition, A. O. L. Atkins has developed a somewhat different method that, 
while not guaranteed to work in polynomial time, functions extremely well 
in practice. As a result of all of these efforts it has become feasible to com- 
pute the order of an arbitrary elliptic curve over F, if q is, say, a 50-digit 
or even a 100-digit prime power. Some of the methods for computing the 
number of points on an elliptic curve are discussed in the references listed 
at the end of the section. 

It should also be remarked that, even though one does not have to 
know NV in order to implement the Diffie-Helman or the ElGamal system, 
in practice one wants to be confident in its security, which depends upon 
N having a large prime factor. If N is a product of small primes, then 
the method of Pohlig—Silver-Hellman (see §IV.3) can be used to solve the 
discrete log problem. Note that the Pohlig-Silver-Hellman method carries 
over to the discrete log problem in any finite abelian group (unlike the 
index—calculus algorithm also discussed in §IV.3, which depends upon the 
specific nature of E;). Thus, one has to know that N is not a product of 
small primes, and it is not likely that you will know this unless you have 
the actual value of N. 

Reducing a global (E, B) modulo p. We now mention a second way 
to determine a pair consisting of an elliptic curve and a point on it. We 
first choose once and for all a “global” elliptic curve and a point of infinite 
order on it. Thus, let E be an elliptic curve defined over the field of rational 
numbers (or, more generally, we could use an elliptic curve defined over a 
number field), and let B be a point of infinite order on E. 

Example 2. It turns out that the point B = (0,0) is a point of infinite 
order on the elliptic curve EF: y? + y = x? — g, and in fact generates the 
entire group of rational points on E. 
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Example 3. It turns out that the point B = (0,0) is a point of infinite 
order on E: y?+y = 23 + 2? and generates the entire group of rational 
points. 

Next, we choose a large prime p (or, if our elliptic curve is defined over 
an extension field K of Q, then we choose a prime ideal of K) and consider 
the reduction of E and B modulo p. More precisely, for all p except for 
some small primes the coefficients in the equation for have no p in their 
denominators, so we may consider the coefficients in this equation modulo 
p. If we make a change of variables taking the resulting equation over F, 
to the form y? = 23 + az + b, the cubic on the right has no multiple roots 
(except in the case of a few small primes p), and so gives an elliptic curve 
(which we shall denote E mod p) over Fp. The coordinates of B will also 
reduce modulo p to give a point (which we shall denote B mod p) on the 
elliptic curve E' mod p. 

When we use this second method, we fix & and B once and for all, 
and then get many different possibilities by varying the prime p. 

Order of the point B. What are the chances that a “random” point B 
on a “random” elliptic curve is a generator? Or, in the case of our second 
method of selecting (EZ, B), what are the chances, as p varies, that the point 
B reduces modulo p to a generator of E mod p? This question is closely 
analogous to the following question concerning the multiplicative groups of 
finite fields: Given an integer b, what are the chances, as p varies, that 5 is 
a generator of F5? The question has been studied both in the finite-field 
and elliptic—-curve situations. For further discussion, see the paper by Gupta 
and Murty cited in the references. 

As mentioned before, for the security of the above cryptosystems it is 
not really necessary for B to be a generator. What is needed is for the cyclic 
subgroup generated by B to be a group in which the discrete log problem 
is intractible. This will be the case — i.e., all known methods for solving 
the discrete logarithm problem in an arbitrary abelian group will be very 
slow — provided that the order of B is divisible by a very large prime, say, 
having order of magnitude almost as large as N. 

One way to guarantee that our choice of B is suitable — and, in fact, 
that B generates the elliptic curve — is to choose our elliptic curve and 
finite field so that the number N of points is itself a prime number. If we do 
that, then every point B 4 O will be a generator. Thus, if we use the first 
method described above, then for a fixed F, we might keep choosing pairs 
(E, B) until we find one for which the number of points on E is a prime 
number (as determined by one of the primality tests discussed in § V.1). If 
we use the second method, then for a fixed global elliptic curve E over Q we 
keep choosing primes p until we find a prime for which the number of points 
on E mod p is a prime number. How long are we likely to have to wait? 
This question is analogous to the following question about the groups F5: 
is (p—1)/2 prime, i.e., is any element 4 +1 either a generator or the square 
of a generator (see Exercise 13 of §II.1)? Neither the elliptic curve nor the 
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finite field question has been definitively answered, but it is conjectured in 
both cases that the probability that a chosen p has the desired property is 


O(1/log p). 


Remark. In order for E mod p to have any chance of being of prime 


order N for large p, E must be chosen so as to have trivial torsion, i.e., to 
have no points except O of finite order. Otherwise, N will be divisible by 
the order of the torsion subgroup. 


Exercises 


1. 
2. 


Give a probabilistic algorithm for finding a nonsquare in F4. 
Describe a polynomial time deterministic algorithm for imbedding 
plaintexts m as points on an elliptic curve in the following cases: 

(a) E has equation y? = 2° — x and g = 3 mod 4. 

(b) E has equation y? + y = 2° and q = 2 mod 3. 

Let E be the elliptic curve y? + y = x° — x defined over the field of 
p = 751 elements. (A change of variables of the form y’ = y + 376 
will convert this equation to the form (1) of §1.) This curve contains 
N = 727 points. Suppose that the plaintext message units are the 
decimal digits 0—9 and the letters A—Z with numerical equivalents 
10—35, respectively. Take « = 20. 

(a) Use the method in the text to write the message “STOPO007” as a 
sequence of seven points on the curve. 

(b) Translate the sequence of points (361, 383), (241,605), (201, 380), 
(461, 467), (581,395) into a reply message. 

Let E be an elliptic curve defined over Q, and let p be a large prime, in 
particular, large enough so that reducing the equation y? = z>+ar+b 
modulo p gives an elliptic curve over Fp. Show that (a) if the cubic 
x® + ax + b splits into linear factors modulo p, then E mod p is not 
cyclic; (b) if this cubic has a root modulo p, then the number N of 
elements on EF mod p is even. 

Let E be the elliptic curve in Example 5 of §1. Let g = 2’, and let N,. 
be the number of F2,-points on EF. 

(a) Show that N, is never prime for r > 1. 

(b) When 4|r, find conditions that are equivalent to N, being divisible 
by an (r/4)-bit or (r/4 + 1)-bit prime. 

Let E be an elliptic curve defined over F,, and let N, denote the 
number of F,r-points on E. 

(a) Prove that if p > 3, then N, is never prime for r > 1. 

(b) Give a counterexample to part (a) when p = 2 and when p = 3. 
(a) Find an elliptic curve E defined over F4 which has only one F4- 
point (the point at infinity O). 

(b) Show that the number of F4--points on the curve in part (a) is the 
square of the Mersenne number 2” — 1. 
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10. 


11. 


(c) Find a very simple formula for the double of an F4r-point on this 
elliptic curve. 
(d) Prove that, if 2" — 1 is a Mersenne prime, then every F4r-point 
(except O) has exact order 2” — 1. 
Let r be odd, and let K denote the field F2-. For z € K let g(z) denote 
pare ey 2 72% ‘and let tr(z) (called the “trace”) denote Dees 2, 
(a) Prove that tr(z) € F9; tr(z1 + 22) = tr(z) + tr(z2); tr(1) = = 1; and 
g(z) + g(z)? =z + tr(z). 
(b) Prove that tr(z) = 0 for exactly half of the elements of K and 
tr(z) = 1 for the other half. 
(c) Describe a probabilistic algorithm for generating F2--points on the 
elliptic curve y2 +y = 2? +ar+b. 
Let E be the elliptic curve y? = x3 + az + b with a,b € Z. Let PE E. 
Let p > 3 denote a prime that does not divide either 4a° + 276? or the 
denominator of the z- or y-coordinate of P. Show that the order of 
P mod p on the elliptic curve E' mod p is the smallest positive integer 
k such that either (1) kP = O on E; or (2) p divides the denominator 
of the coordinates of kP. 
Let E be the elliptic curve y* + y = x° — x defined over Q, and let 
P = (0,0). By computing 27P for j = 1,2,..., find an example of a 
prime p such that E mod p is not generated by P mod p. (Note: it can 
be shown that the point P does generate the group of rational points 
of E.) 
Use the elliptic curve analog of ElGamal to send the message in Ex- 
ercise 3(a) with E and p as in Exercise 3 and B = (0,0). Suppose 
that your correspondent’s public key is the point (201,380) and your 
sequence of random k’s (one used to send each message unit) is 386, 
209, 118, 589, 312, 483, 335. What sequence of 7 pairs of points do you 
send? 

Note that in this exercise we used a rather small value of p; a 
more realistic example of the sort one would encounter in practice 
would require working with numbers of several dozen decimal digits. 
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3 Elliptic curve primality test 


The elliptic curve primality test, due to S. Goldwasser, J. Kilian and (in 
another variant) A. O. L. Atkin, is an analog of the following primality test 
of Pocklington based on the group (Z/nZ)*: 

Proposition 6.3.1. Let n be a positive integer. Suppose that there is a 
prime q dividing n—1 which is greater than \/n—1. If there exists an integer 
a such that (i) a*~! = 1 (mod n); and (ii) g.c.d.(a-))/4 — 1,n) = 1, then 
n is prime. 

Proof. If n is not prime, then there is a prime p < \/n which divides n. 
Since q > p — 1, it follows that g.c.d.(q,p — 1) = 1, and hence there exists 
an integer u such that ug = 1 (mod p— 1). Then a(*—)/9 = gua(n-D/a = 
a“("-1) = 1 (mod p) by condition (i), and this contradicts condition (ii). 

Remarks. This is an excellent test provided that n — 1 is divisible by 
a prime g > \/n — 1, and we have been able to find q (and prove that it’s 
prime). Otherwise, we’re out of luck. (This is not quite true — there’s a 
more general version which can be used whenever we have a large divisor 
of n — 1 in fully factored form, see Exercise 2 below.) 
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Note that this primality test is probabilistic only in the sense that a 
randomly chosen a may or may not satisfy condition (ii) (of course, if it 
fails to satisfy (i), then n is not prime). But once such an a is found (and 
a = 2 will usually work), then the test shows that n is definitely a prime. 
Unlike the primality tests in §V.1 (the Solovay-Strassen and Miller—-Rabin 
tests), the conclusion of Pocklington’s test is a certainty: n is a prime, not 
a “probable prime.” 

The elliptic curve primality test is based on an analogous proposition, 
where we suppose that we have an equation y* = x? + az + b considered 
modulo n. That is, a and 6b are integers modulo n, and we let E denote 
the set of all integers x,y € Z/nZ which satisfy the equation, along with a 
symbol O, which we call the “point at infinity.” If n is prime (as is almost 
certainly the case — since in practice we are only considering numbers n 
which have already passed some of the probable prime tests in §V.1), then 
E is an elliptic curve with identity element O. 

Before stating the analog of Proposition 6.3.1 for E, we note that, even 
without knowing that n is prime, we can apply the formulas in §1 to add 
elements of E. One of three things happens when we add two points (or 
double a point): (1) we get a well-defined point, (2) if the points are of 
the form (z, y) and (x, —y) modulo n, then we get the point at infinity, (3) 
the formulas are undefined, because we have a denominator which is not 
invertible modulo n. But case (3) means that n is composite, and we can 
find a nontrivial divisor by taking the g.c.d. of n with the denominator. 
So without loss of generality in what follows we may assume that case (3) 
never occurs. 

It can be shown that for P an element of EF modulo n, even if n is 
composite the answer our algorithm gives for mP does not depend on the 
particular manner in which we successively add and double points. (This 
is not a priori obvious.) However, this fact will not be needed below. It 
suffices to let mP denote any point which is obtained working modulo n 
with the formulas in §1. 

Just as we can add points modulo n without knowing that n is prime, 
similarly, given an algorithm for computing the number of points on an 
elliptic curve (such as Schoof’s method), we can apply it to our set E 
modulo n. We will either obtain some number m — which if n is prime 
is guaranteed to be the number of points on the elliptic curve E — or 
else encounter an undefined expression whose denominator has a nontrivial 
common factor with n. As in the case of the addition of points, without 
loss of generality we may assume that the latter never happens. 

Such an m will play the role of n — 1 in Proposition 6.3.1 — notice 
that n — 1 is the order of (Z/nZ)* if n is prime. 

We are now ready to state the elliptic curve analog of Pocklington’s 
criterion. 

Proposition 6.3.2. Let n be a positive integer. Let E be the set given 
by an equation y* = x? + ax +b modulo n, as above. Let m be an integer. 
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Suppose that there is a prime q dividing m which is greater than (ni/ 44 1)’. 
If there exists a point P of E such that (i) mP = O; and (ii) (m/q)P is 
defined and not equal to O, then n is prime. 


Proof (compare with the proof of Proposition 6.3.1). If n is not prime, 
then there is a prime p < ./n which divides n. Let E’ be the elliptic curve 
given by the same equation as E but considered modulo p, and let m’ be 
the order of the group E’. By Hasse’s Theorem, we have m’ < p+1+2,/p = 


(Yp+1)? < (nl/4 4 1)’ < q, and hence g.c.d.(q, m’) = 1, and there exists an 
integer u such that ug = 1 (mod m’). Let P’ € E’ be the point P considered 
modulo p. Then in E’ we have (m/q)P’ = ugq(m/q)P’ = umP’ = O, by 
(i), since mP’ is obtained using the same procedure as mP, only working 
modulo p|n rather than modulo n. But this contradicts (ii), since if (m/q)P 
is defined and 4 O modulo n, then the same procedure working modulo p 
rather than modulo n will give (m/q)P’ # O. This completes the proof. 


This proposition leads to an algorithm for proving that an integer n 
(which we may suppose is already known to be a “probable prime”) is 
definitely prime. We proceed as follows. We randomly select three integers 
a,z,y modulo n and set b = y* — x* — az (mod n). Then P = (z,y) is 
an element of E, where E is given by y? = x* + az + b. We use Schoof’s 
algorithm (or another method for counting the number of points on an 
elliptic curve) to find a number m which, if n is prime, is equal to the 
number of points on the elliptic curve E over F,,. If we cannot write m in 
the form m = kg, where k > 2 is a small integer and q is a “probable prime” 
(i.e., it passes a test as in §V.1), then we choose another random triple a, x, y 
and start again. Suppose we finally obtain an elliptic curve for which m has 
the desired form. Then we use the formulas in §VI.1 (working modulo n) to 
compute mP and kP. If we ever obtain an undefined expression — either 
in computing a multiple of P or in applying Schoof’s algorithm — then 
we immediately find a nontrivial factor of n. We may assume that this 
doesn’t happen. If mP # O, then we know that n is composite (because 
if n were prime, then the group E would have order m, and any element 
of E would be killed by multiplication by m). If kP = O (which is highly 
unlikely), we are out of luck, and must start again with another triple. But 
if mP = O and kP # O, then by Proposition 6.3.2 we know that n is 
prime, provided that the large factor q of m is really a prime (we only know 
it to be a “probable prime” ). This reduces the problem to proving primality 
of g, which has magnitude at most about n/2. We then start over with n 
replaced by qg. Thus, we obtain a recursive procedure with t repetitions of 
the primality test, where t is no more than about log, n. When we’re done, 
we have obtained a number q which we know to be prime, from which 
it follows that the previous q:_1 was really a prime (not just a “probable 
prime”), from which it follows that the same is true of g:—2, and so on, until 
qi = q, and finally n itself is truly a prime. This concludes the description 
of the elliptic curve primality test. 
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There are two difficulties with this test, one practical and the other 
theoretical. In the first place, although Schoof’s algorithm takes time poly- 
nomial in log n, in practice it is quite cumbersome. Some progress has been 
made recently in supplementing and streamlining it, but even so it is rather 
unpleasant to have to count the number of points on a large number of E 
until we finally find one for which m has the desired form m = kg. In order 
to deal with this problem, A. O. L. Atkin developed a variant of the elliptic 
curve primality test using carefully constructed elliptic curves with complex 
multiplication, for which it is much easier to compute the number of points 
on their reduction modulo n. For more information on Atkin’s method, see 
the article by Lenstra and Lenstra in the references below. 

The second difficulty is theoretical. In order to find an elliptic curve 
E over F,, (assuming that n is prime) whose number of points is “almost 
prime” (i.e., of the form m = kq for k small and q prime), we have to know 
something about the distribution of primes (rather, of “near primes” ) in the 
interval from p+1—2,/p to p+1+2,/p which, by Hasse’s Theorem, is known 
to contain m. Because the length of this interval is relatively small, there is 
no theorem which guarantees that we have a high probability of finding such 
an EF after only polynomially many tries (polynomial in logn). However, 
there is a very plausible conjecture which would guarantee this, and for 
practical purposes there should be no problem. But if one wants a provably 
polynomial time probabilistic algorithm, one has to work much harder: 
such a primality test was developed by Adleman and Huang using two- 
dimensional abelian varieties, which are a generalization of elliptic curves 
to 2 dimensions. However, their algorithm is completely impractical, as well 
as very complicated. 


Exercises 


1. (a) In Pocklington’s primality test, if n is prime, n — 1 is divisible by a 

prime q as in Proposition 6.3.1, and a is chosen at random in (Z/nZ)*, 
then what is the probability that a will satisfy the conditions of the 
proposition? 
(b) In the elliptic curve primality test, if n is prime, one has an elliptic 
curve of order divisible by a prime gq as in Proposition 6.3.2, and P is 
a random point on it, then what is the probability that P will satisfy 
the conditions of the proposition? 

2. Generalize Pocklington’s primality test to the case when one knows an 
integer s dividing n — 1 which is greater than \/n — 1 and for which 
one knows all primes g|s. Condition (ii) is required to hold for all q|s. 

3. (a) (Pépin’s primality test for Fermat numbers.) Prove that a Fermat 
number n = 22" + lisa prime if and only if there exists an integer a 


k— 
such that a2” = —1 mod n. Prove that if n is a prime, then 50% of 
all a € (Z/nZ)* have this property. Also prove that a can always be 
chosen to be 3, or 5, or 7, if k > 1. 
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(b) Prove that a Mersenne number n = 2? — 1 is a prime if and only if 
there exists a point P = (x,y) on the curve E: y? = 23+2 mod n such 
that (1) 2?-!P can be computed without encountering non-invertible 
denominators mod n, and (2) 2?-1P has y-coordinate zero. To do this, 
first prove that, if n = 2? — 1 is prime, then the group of points on 
E mod n is cyclic of order 2?, and 50% of all P € E mod n have 
the properties (1)-(2) above. Explain how one can generate random 
points P € E mod n. You may use any algorithm that assumes that 
b"-! = 1 mod n (ie., that n is a pseudoprime to various bases 6), 
because if you ever encounter a b for which this fails, your test ends 
with the conclusion that n must be composite. 

Note that this is a probabilistic primality test in the sense that, if 
n is a prime, there is no guarantee of when a suitable P will turn up. 
However, once such a P is found, then the test ensures that n must 
be prime. In this respect it is different from the pseudoprime tests in 
§ V.1. For a generalization which can test primality of any odd n, see 
W. Bosma’s paper cited below. 
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4 Elliptic curve factorization 


A key reason for the increasing interest in elliptic curves on the part of cryp- 
tographers is the recent ingenious use of elliptic curves by H. W. Lenstra to 
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obtain a new factorization method that in many respects is better than the 
earlier known ones. The improvement in efficiency is not significant enough 
in practice to pose a threat to the security of cryptosystems based on the 
assumed intractability of factoring (its time estimate has the same form 
that we encountered in § V.3); nevertheless, the discovery of an improve- 
ment using an unexpected new device serves as a warning that one should 
never be too complacent about the supposed imperviousness of the factor- 
ing problem to dramatic breakthroughs. The purpose of this final section 
is to describe Lenstra’s method. 

Before proceeding to Lenstra’s elliptic curve factorization algorithm, 
we give a classical factoring technique which is analogous to Lenstra’s 
method. 

Pollard’s p — 1 method. Suppose that we want to factor the composite 
number n, and p is some (as yet unknown) prime factor of n. If p happens to 
have the property that p — 1 has no large prime divisor, then the following 
method is virtually certain to find p. 

The algorithm proceeds as follows: 

1. Choose an integer k that is a multiple of all or most integers less than 
some bound B. For example, k might be B!, or it might be the least 
common multiple of all integers < B. 

2. Choose an integer a between 2 and n — 2. For example, a could equal 
2, or 3, or a randomly chosen integer. 

3. Compute a* mod n by the repeated squaring method. 

4. Compute d = g.c.d.(a* — 1,n) using the Euclidean algorithm and the 
residue of a* modulo n from step 3. 

5. If d is not a nontrivial divisor of n, start over with a new choice of a 
and/or a new choice of k. 

To explain when this algorithm will work, suppose that k is divisible 
by all positive integers < B, and further suppose that p is a prime divisor 
of n such that p — 1 is a product of small prime powers, all less than B. 
Then it follows that k is a multiple of p—1 (because it is a multiple of all of 
the prime powers in the factorization of p— 1), and so, by Fermat’s Little 
Theorem, we have a* = 1 mod p. Then plg.c.d.(a* — 1,n), and so the only 
way we could fail to get a nontrivial factor of n in step 4 is if it so happens 
that a* = 1 mod n. 

Example 1. We factor n = 540143 by this method, choosing B = 8 
(and hence k = 840, which is the least common multiple of 1,2,...,8) and 
a = 2. We find that 284° mod n is 53047, and g.c.d.(53046,n) = 421. This 
leads to the factorization 540143 = 421 - 1283. 


The main weakness of the Pollard method is clear if we attempt to use 
it when all of the prime divisors p of n have p — 1 divisible by a relatively 
large prime (or prime power). 


Example 2. Let n = 491389. We would be unlikely to find a nontrivial 
divisor until we chose B > 191. This is because it turns out that n = 


4 Elliptic curve factorization 193 


383 - 1283. We have 383 — 1 = 2-191 and 1283 — 1 = 2-641 (both 191 and 
641 are primes). Except for a = 0,+1 mod 383, all other a’s have order 
modulo 383 either 191 or 382; and except for a = 0, +1 mod 1283, all other 
a’s have order modulo 1283 either 641 or 1282. So unless k is divisible by 
191 (or 641), we are likely to find again and again that g.c.d.(a* —1,n) = 1 
in step 4. 

The basic dilemma with Pollard’s p— 1 method is that we are pinning 
our hopes on the group (Z/pZ)* (more precisely, the various such groups 
as p runs through the prime divisors of n). For a fixed n, these groups are 
fixed. If all of them happen to have order divisible by a large prime, we are 
stuck. 

The key difference in Lenstra’s method, as we shall see, is that, by 
working with elliptic curves over F, = Z/pZ, we suddenly have a whole 
gaggle of groups to use, and we can realistically hope always to find one 
whose order is not divisible by a large prime or prime power. 

We start our description of Lenstra’s algorithm with some comments 
about reducing points on elliptic curves modulo n, where n is a composite 
integer (unlike in §2, where we worked modulo prime numbers and in finite 
fields). 

Elliptic curves — reduction modulo n. For the remainder of the section 
we let n denote an odd composite integer and p an (as yet unknown) prime 
factor of n. We shall suppose that p > 3. For any integer m and any 
two rational numbers 21, 72 with denominators prime to m, we shall write 
21 = 2X2 mod m if x, — ze, written in lowest terms, is a fraction with 
numerator divisible by m. For any rational number x; with denominator 
prime to m there is a unique integer x2 (called the “least nonnegative 
residue”) between 0 and m — 1 such that 2; = r2 mod m. Sometimes we 
shall write “x; mod m” to denote this least nonnegative residue. 

Suppose that we have an equation of the form y? = x? + az +b with 
a,b € Z and a point P = (z,y) which satisfies it. In practice, the curve 
E together with the point P will be generated in some “random” way, for 
example, by choosing three random integers a, z, y in some range and then 
setting b = y? — 2° — az. We shall assume that the cubic has distinct roots, 
ie., 4a + 27b* # 0; this is almost certain if the coefficients were chosen 
in the random way described. For simplicity, in what follows we shall also 
suppose that 4a* + 27b has no common factor with n; in other words, 
z® + ax +b has no multiple roots modulo p for any prime divisor p of n. 
In practice, once we have made a choice of a and b, we can check this by 
computing g.c.d.(4a° + 27b?,n). If this is > 1, then either n|4a* + 276? 
(in which case we must make another choice of a and b) or else we have 
obtained a nontrivial divisor of n (in which case we’re done). So we shall 
suppose that g.c.d.(4a* + 27b?, n) = 1. 

Now suppose that we want to find the multiple kP, using the repeated 
doubling method described in § VI.2. This can be done in O(log k) steps, 
each involving a doubling or an addition of two distinct points. There are 
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many ways to go about this. For example, k can be written in binary as ag+ 
@1:2+++-+am—12™—1!, then P can be successively doubled, with 2’ P added 
to the partial sum whenever the corresponding bit a; is 1. Alternately, k 
could be factored first into a product of primes £;, and then one could 
successively compute ¢,(P), £2(€,P), and so on, where ¢;,,... are the 
primes in the factorization (listed, say, in non-decreasing order). Here each 
multiple ¢;P;, where P; = €;_1£;-2---4:P, is computed by writing 2; in 
binary and using repeated doublings. 


We shall suppose that some such technique has been chosen to compute 
multiples kP. 


We shall consider the point P and all of its multiples modulo n. This 
means that we let P mod n = (x mod n,y mod n), and, every time we 
compute some multiple kP, we really compute only the reduction of the 
coordinates modulo n. In order to be able to work modulo n, there is a 
nontrivial condition that must hold whenever we perform a doubling step 
or add two different points. Namely, all denominators must be prime to n. 


Proposition VI.3.1. Let E be an elliptic curve with equation y? = x3 + 
az + b, where a,b € Z and g.c.d.(4a° + 27b,n) = 1. Let P, and P2 be 
two points on E whose coordinates have denominators prime to n, where 
P, #4 —P,. Then P, + P2 € E has coordinates with denominators prime 
to n if and only if there is no prime p|n with the following property: the 
points P, mod p and P2 mod p on the elliptic curve E mod p add up to the 
point at infinity O mod p € E mod p. Here E mod p denotes the elliptic 
curve over F', obtained by reducing modulo p the coefficients of the equation 
y =z? +axr+b. 

Proof. First suppose that P, = (21, y1), Po = (2, y2), and Pj} +P, EE 
all have coordinates with denominators prime to n. Let p be any prime 
divisor of n. We must show that P, mod p+ P2 mod p # O mod p. If 
1 # Z2 mod p, then, according to the description of the addition law on 
E mod p, we immediately conclude that P, mod p+ P2 mod p is not the 
point at infinity on E’ mod p. Now suppose that 2; = x2 mod p. First, if 
P, = P2, then the coordinates of P, + Pz, = 2P, are found by the formula 
(5) of §1, and 2P, mod p is found by the same formula with each term 
replaced by its residue modulo p. We must show that the denominator 2y, 
is not divisible by p. If it were, then, because the denominator of the z- 
coefficient of 2P, is not divisible by p, it would follow that the numerator 
3x? + a would be divisible by p. But this would mean that 2 is a root 
modulo p of both the cubic x? +az + and its derivative, contradicting our 
assumption that there are no multiple roots modulo p. Now suppose that 
P, # Po. Since rg = x, mod p and z2 # 21, we can write 42 = 41 + px 
with r > 1 chosen so that neither the numerator nor denominator of x is 
divisible by p. Because we have assumed that P; + P2 has denominator not 
divisible by p, we can use the formula (4) of §1 to conclude that yp is of the 
form y; + p’y. On the other hand, 
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y2 = (a1 +p"x)® + a(x. +p"2) +6 4a) 
= 03 + az, +b+ p'2(3z? + a) = y} + p’2(327 + a) mod p*t?. 


But since zz = 2; mod p and y2 = y; mod p, it follows that P, mod p = 
P2 mod p, and so P; mod p+ P2 mod p = 2P,; mod p, which is O mod p if 
and only if y; = y2 = 0 mod p. If the latter congruence held, then y3 — y? = 
(y2 — y1)(y2 + y1) would be divisible by p"*? (ie., its numerator would be), 
and so the congruence (1) would imply that 32? + a = 0 mod p. This is 
impossible, because the polynomial x? + az + b modulo p has no multiple 
roots, and so x; cannot be a root both of this polynomial and its derivative 
modulo p. We conclude that P, mod p+ P2 mod p 4 O mod p, as claimed. 

Conversely, suppose that for all prime divisors p of n we have P; mod p+ 
P2 mod p # O mod p. We must show that the coordinates of P, + Pz have 
denominators prime to n, i.e., that the denominators are not divisible by 
p for any p|n. Fix some p|n. If 22 # x1 mod p, then the formula (4) of §1 
shows that there are no denominators divisible by p. So suppose that z2 = 
21 mod p. Then y2 = ty; mod p; but since P, mod p+ P2 mod p # O mod p, 
we must have yo = y; # 0 mod p. First, if P2 = P,, then the formula (5) of 
§1 together with the fact that y, # 0 mod p shows that the coordinates of 
P, + Pp = 2P,; have denominators prime to p. Finally, if P2 # P,, we again 
write z2 = 21 + p"x with x not divisible by p, and we use the congruence 
(1) above to write (y2 — y?)/(x2 — 21) = 32? + a mod p. Since p does not 
divide y2 + y1 = 2y, mod p, it follows that there is no p in the denominator 


of gees = ae and hence, by formula (4) of §1, there is no p in 
the denominator of the coordinates of P, + P2. This completes the proof. 
Lenstra’s method. We are given a composite odd integer n and want 
to find a nontrivial factor dln, 1 < d <n. We start by taking some elliptic 
curve E : y? = 2° + az + b with integer coefficients along with a point 
P = (za, y) onit. The pair (E, P) is probably generated in some random way, 
although we could choose to use some deterministic method which is capable 
of generating many such pairs (as in Example 4 below). We attempt to use 
E and P to factor n, as will be presently explained; if our attempt fails, we 
take another pair (E, P), and continue in this way until we find a factor d|n. 
If the probability of failure is p < 1, then the probability that h successive 
choices of (E, P) all fail is p", which is very small for h large. Thus, with a 
very high probability we will factor n in a reasonable number of tries. 
Once we have a pair (FE, P), we choose an integer k which is divisible 
by powers of small primes (< B) which are less than some bound C’. That 


is, we set 
k= |] &, (2) 
£<B 


where ag = [log C/log 4 is the largest exponent such that £%¢ < C. We 
then attempt to compute kP, working all the time modulo n. This compu- 
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tation is uneventful and useless, unless we run into the following difficulty: 
when attempting to find the inverse of x2 — x; in the formula (4) of §1 
or the inverse of 2y,; in (5), we encounter a number that is not prime to 
n. According to Proposition VI.3.1, this will happen when we have some 
multiple k, P (a partial sum encountered along the way in our computation 
of kP) which for some p|n has the property ki(P mod p) = O mod p, i.e., 
the point P mod p in the group E mod p has order dividing k. In the 
process of using the Euclidean algorithm to try to find the inverse modulo 
n of a denominator which is divisible by p, we instead find the g.c.d. of n 
with that denominator. That g.c.d. will be a proper divisor of n, unless it is 
n itself, i.e., unless the denominator is divisible by n. That would mean, by 
Proposition VI.3.1, that kyP mod p = O mod p for all prime divisors p of n 
— something which is highly unlikely if n has two or more very large prime 
divisors. Thus, it is virtually certain that as soon as we try to compute k,; P 
modulo n for a k, which is a multiple of the order of P mod p for some p|n, 
we will obtain a proper divisor of n. 

Notice the similarity with Pollard’s p—1 method. Instead of the group 
(Z/pZ)*, we are using the group E mod p. However, this time, if our E 
proves to be a bad choice — i.e., for each p|n the group E mod p has order 
divisible by a large prime (and so kP mod p is not likely to equal O mod p 
for k given by (2)) — all we have to do is throw it away and pick out 
another elliptic curve E together with a point P € E. We did not have 
such an option in the Pollard method. 

The algorithm. Let n be a positive odd composite integer. We now 
describe Lenstra’s probabilistic method for factoring n. 

We suppose we have a method for generating pairs (E, P) consisting of 
an elliptic curve y? = z?+ az +b with a,b € Z and a point P = (2, y) € E. 
Given such a pair, we go through the procedure about to be described. If 
that procedure fails to yield a nontrivial factor of n, then we generate a 
new pair (E£, P) and repeat the process. 

Before working with our E modulo n, we must verify that it is in fact an 
elliptic curve modulo any pJ|n, i.e., that the cubic on the right has distinct 
roots modulo p. This holds if and only if the discriminant 4a° + 27)? is 
prime to n. Thus, if g.c.d.(4a? + 27b?,n) = 1, we may proceed. Of course, 
if this g.c.d. is strictly between 1 and n, we have a divisor of n, and we’re 
done. If this g.c.d. equals n, then we must choose a different elliptic curve. 

Next, we suppose that we have chosen two positive integer bounds B, 
C. Here B is a bound for the prime divisors of the integer k by which we 
multiply the point P. If B is large, then there is a greater probability that 
our pair (E, P) has the property that kP mod p = O mod p for some p|n; on 
the other hand, the larger B the longer it will take to compute kP mod p. 
So B must be chosen in some way which we estimate minimizes the running 
time. C, roughly speaking, is a bound for the prime divisors p|n for which 
we are at all likely to obtain a relation kP mod p = O mod p. We then 
choose k to be given by (2), i.e., k is the product of all prime powers < C 
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which are powers of primes < B. Then Hasse’s Theorem tells us that, if p is 
such that p+1+ 2,/p < C and the order of E mod p is not divisible by any 
prime > B, then k is a multiple of this order and so kP mod p = O mod p. 

Example 3. Suppose we choose B = 20, and we want to factor a 10— 
decimal-digit integer n which may be a product of two 5—digit primes (i.e., 
not be divisible by any prime of fewer than 5 digits). Then choose C = 
100700 and k = 236 . 310.57. 75.114. 134-174. 19°. 

We now return to the description of the algorithm. Working modulo 
n, attempt to compute kP as follows. Use the repeated doubling method 
to compute 2P, 2(2P), 2(4P),..., 2P, then 3(2%?)P, 3(3 - 2% P),..., 
3°32°2 P, and so on, until finally you have [],., %P. (Multiply succes- 
sively by the prime factors ¢ of k from smallest to largest.) In these com- 
putations, whenever you have to divide modulo n, you use the Euclidean 
algorithm to find the inverse modulo n. If at any stage the Euclidean algo- 
rithm fails to provide an inverse, then either you find a nontrivial divisor 
of n or you obtain n itself as the g.c.d. of n and the denominator. In the 
former case, the algorithm has been successfully completed. In the latter 
case, you must go back and choose another pair (£, P). If the Euclidean 
algorithm always provides an inverse — and so kP modulo n is actually 
calculated — then you must also go back and choose another pair (E, P). 
This completes the description of the algorithm. 

Example 4. Let us use the family of elliptic curves y? = 2? + az — a, 
a=1,2,..., each of which contains the point P = (1,1). Before using an a 
for a given n, we must verify that the discriminant 4a* + 27a? is prime to 
n. Let us try to factor n = 5429 with B = 3 and C = 92. (In this example 
and the exercises below we illustrate the method using small values of n. 
Of course, in practice the method becomes valuable only for much, much 
larger n.) Here our choice of C' is motivated by our desire to find a prime 
factor p which could be almost as large as ,\/n ~ 73; for p = 73 the bound 
on the number of F,-points on an elliptic curve is 74 + 2/73 < 92. Using 
(2), we choose k = 2° - 34. For each value of a, we successively multiply P 
by 2 six times and then by 3 four times, working modulo n, on the elliptic 
curve y? = z°+az—a. When a = 1 we find that the multiplication proceeds 
smoothly, and it turns out that 342°P mod pis a finite point on E mod p for 
all p|n. So we try a = 2. Then we find that when we try to compute 372°P, 
we obtain a denominator whose g.c.d. with n is the proper factor 61. That 
is, the point (1,1) has order dividing 372° on the curve y? = 2° + 22 — 2 
modulo 61. (See Exercise 5 below.) Thus, our second attempt succeeds. By 
the way, if we try a = 3 we find that the method gives the other prime 
factor 89 when we try to compute 342°P. (Usually, but not always, the 
method gives the smallest prime factor.) 

Running time. The central issue in estimating the running time is to 
compute, for a fixed p and a given choice of bound B (which is chosen 
in some optimal manner), the probability that a randomly chosen elliptic 
curve modulo p has order N not divisible by any prime > B. Now the 
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orders N of all elliptic curves modulo p are known to be distributed fairly 
uniformly in the interval p+ 1 — 2,/p < N < p+1-+2,/p where Hasse’s 
Theorem tells us they all fall (except that the density of N’s drops off near 
the endpoints of this interval). Thus, the probability is roughly equal to 
the chance that a randomly chosen integer of size approximately p is not 
divisible by any prime > B. We already saw in our heuristic time estimate 
in § V.3 that this probability is approximately u~“, where u = log p/log B. 


This leads to an estimate of the form Ole ; aaa where r is the number 
of bits in n. For a detailed derivation of an estimate for the running time, 
see Lenstra’s article. 

More precisely, suppose that n is a positive integer which is not a prime 
power and is not divisible by 2 or 3. Assuming a plausible conjecture about 
the distribution of integers not divisible by any prime > B in a small interval 
around p, Lenstra proves the following probabilistic time estimate for the 
number of bit operations required to produce a nontrivial divisor of n: 


ev 2telegp tog Sa (3) 


where p is the smallest prime factor of n and € approaches zero for large p. 
Since always p < ,/n, it follows from (3) that we also have the estimate 


eV (lte)logn log logn (4) 


The estimate (4) has exactly the same form as the (conjectural) time 
estimates for the best general factoring methods known. However, Lenstra’s 
method has certain advantages over its competitors: 

1. It is the only method which is substantially faster if n is divisible by a 
prime which is much smaller than /n. 

2. For this reason, it can be used in combination with other factoring 
methods when the factorization of certain auxiliary numbers is re- 
quired. (For example, in the continued fraction method in §V.4, we 
needed the complete factorization of b? mod n if it is a product of 
relatively small primes.) 

3. It has a very small storage requirement, unlike most of its competitors. 
But perhaps the most exciting feature of Lenstra’s factorization algo- 

rithm is the use for the first time of elliptic curves, which are among the 
most richly structured and intensively studied objects in modern number 
theory and algebraic geometry. This shows that new factoring techniques 
might be found using unexpected constructions from hitherto unrelated 
branches of mathematics. 


Exercises 


1. Use Pollard’s method with k = 840 and a = 2 to try to factor n = 
53467. Then try with a = 3. 

2. Suppose that only one of the prime divisors p of n has the property that 
p —1 has no large prime factors. Suppose that in Pollard’s algorithm 


References for § VI.4 199 


you take a value of k which is not quite a multiple of p — 1, and try 
various values of a. Estimate in terms of k and p — 1 the probability 
that you obtain the factor d = p in step 4. 

For the following values of p and B, find (using a computer if necessary) 
the fraction of the integers between p+1—2,/p and p+1+2,/p which 
have no prime divisors greater than B: (a) p = 109, B = 3; (b) p = 109, 
B = 19; (c) p = 1009, B = 19; (d) p = 1009, B = 97; (e) p = 9973, 
B=97. 

Each of the values of n in Exercise 5 of § V.4 has a factor p < 100. In 
each case (a)-(k) find this factor by Lenstra’s elliptic curve method, 
choosing B = 5, C = 120, P = (1,1), and E: y? = 2? +ar-a 
with a = 1,2,... (taking a’s for which the discriminant is prime to 
n). In each case, what is the first value of a for which you find the 
factor, and what is the value of k, for which the factor appears as 
g.c.d.(denominator, n) in your computation of k,P? 

With k given by equation (2), suppose that you find a factor of n in 
the process of computing k; P modulo n, where k, is a partial product 
in (2). (Recall that we compute kP by successively multiplying by 
the @’s, proceeding in order of increasing £.) Prove that k;P mod p = 
O mod p for some p|n, i.e., rule out the possibility that you obtained 
a denominator not prime to n in the computation of @ times (k,/)P 
during one of the stages of the repeated doubling method before the 
last step. 

(a) Suppose that for any a € Z you have an efficient way of generating 
a point P = (a, y) such that y? = 2° +az mod n. Explain why it would 
not be a good idea to use the elliptic curves y? = x? + az with various 
a’s to factor n. 

(b) Same question for the family of elliptic curves y* = x? + b with 
various b’s. 

Suppose you want to increase very slightly the probability that the 
order of E mod p for some p|N is a product of small prime factors by 
ensuring in advance that 4 divides this order. Describe how to do this. 
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Om wh pe 


1.1. 


(112111). 

(26072 )z. 

10001100101; 1101 787°. 

MPJNS; LIKE (in other words, JQVXHJ=WE-LIKE+IT). 

(a) 10.101101111110000; (b) C.SRO. 

If bf — 1 is a multiple of d, then the fraction can be written in the 
form a/(b/ — 1), where a is an integer of at most f digits. Then use the 
formula for the sum of a geometric progression with initial term a-b-f 
and ratio b~£ Conversely, given a pure period-f expansion z, you find 
that bfx differs from x by an f-digit integer a, and this means that 
xz =a/(bf —1). 

(a) (BAD), 6; (b) no division is required: for example, to go from binary 
to hexadecimal simply start from the right and break off the digits in 
blocks of four; each four-tuple can be viewed as a hexadecimal digit 
(or replaced by one of the symbols 0—9, A—F). 

(1) Look at the top and bottom bit and also at whether there’s a 
borrow; (2) if both bits are the same and there is no borrow, or if the 
top bit is 1, the bottom bit is 0 and there is a borrow, then put down 
0 and move on; (3) if the top bit is 1, the bottom bit is 0 and there is 
no borrow, then put down 1 and move on; (4) if the top bit is 0, the 
bottom bit is 1 and there is a borrow, then put down 0, put a borrow 
in the next column, and move on; (5) if both bits are the same and 
there is a borrow, or if the top bit is 0, the bottom bit is 1 and there 
is no borrow, then put down 1, put a borrow in the next column, and 
move on. 
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9. (a) One needs n — 1 multiplications; in each case the partial product 
3? has at most O(n) digits and 3 has 2 digits, so there are O(n) bit 
operations; thus, the total is O(n”). (b) Here the partial product has 
O(nlogn) digits, so each multiplication takes O(nlog?n) bit opera- 
tions; the total is O(nlog?n). 

10. O(n?log?N). 

11. (a) O(nlog?n); (b) O(log?n). 

12. O(rsn(log?m + logn)). 

13. (a) The product of O(n/logn) numbers each with O(log n) digits has 
O(n/logn) - O(logn) = O(n) digits. (b) O(nlogn); (c) O(n?). 

14. (a) O(./nlog?n); (b) O(./nlogn). 

15. O(mlogn). 

16. Suppose that n has k + 1 bits. As a first approximation to m = [Vn] 
take a 1 followed by [k/2] zeros. Find the digits of m from left to right 
after the 1 by each time trying to change the zero to 1, and if the 
square of the resulting m is larger than n, putting it back to 0. 

§1.2. 

1. (b) A simple counterexample: let b = —a. 

2. 16 divisors: 1, 3, 5, 7, 9, 15, 21, 27, 35, 45, 63, 105, 135, 189, 315, 945. 

3. (a) When a|n write n = ab and let a «— b. (b) Given n = ab with 
a> b, set s = (a+b)/2 and t = (a—b)/2. Conversely, given n = s* — t? 
set a= s+t, b = s—t to get the reverse correspondence. (c) 473? —472? 
159? — 156? 97? — 92? 71? — 642 572 — 482 39? — 24? 332 — 122 31? — 4? 

4. (b) 100! = 297 . 348 . 524. 716 . 119 . 137. 175 . 195 . 234 . 293 . 319 . 372 - 
41? . 43? . 47? .53 -59-61-67- 71-73-79 - 83-89-97. (c) The formula is 
(n—S,(n))/(p—1). To prove this, write n = d,_ip*-1+---+dip+do, 
and note that for each j: [n/p’] = dg_1p*—1-7 +---+dj4ip+d,. Then 
use the formula in part (a). 

6. (a) 1=11-19—8-26; (b) 17 = 1-187 —5-34; (c) 1 = 205-160 — 39-841; 
(d) 13 = 65 - 2171 — 54- 2613. 

7. For example, here’s a comparison between the two ways in the case of 


part (d): 


2613 = 2171 + 442 2613 = 2171 + 442 
2171 = 4-442 + 403 2171 = 5 - 442 — 39 
442 = 403 + 39 442 = 11-39+ 13 
403 = 10-39+ 13 39 = 3-13. 


39 = 3-13. 
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11. 


12. 


13. 


14. 


15. 
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(b) 

g.c.d.(101000110101, 100001111011) 

= g.c.d.(110111010, 100001111011) 

= g.c.d.(11011101, 100001111011) = g.c.d.(11011101, 11110011110) 
= g.c.d.(11011101, 1111001111) = g.c.d.(11011101, 1011110010) 

= g.c.d.(11011101, 101111001) = g.c.d.(11011101, 10011100) 

= g.c.d.(11011101, 100111) = g.c.d.(10110110, 100111) 

= g.c.d.(1011011, 100111) = g.c.d.(110100, 100111) 

= g.c.d.(1101, 100111) = g.c.d.(1101, 11010) 

= g.c.d.(1101, 1101) = 1101. 

(c) Consider the product ab, and show that every two steps must de- 
crease the product of the two numbers whose g.c.d. you’re taking at 
least by a factor of 2. Thus, there are O(loga) steps. Each step is 
at most a subtraction, so takes O(log a) bit operations. (Notice that 
no division or multiplication is involved.) (d) It doesn’t give a way 
of expressing the g.c.d. as an integer combination of the original two 
numbers. However, it can be modified so as to do this: see “Extending 
the Binary GCD Algorithm” by G. H. Norton in Algebraic Algorithms 
and Error Correcting Codes, Springer-Verlag, 1986, 363-372. 

O(log alog b + log?b). 


. (a) The remainders decrease at the slowest rate when all of the quo- 


tients are 1. (b) Write G . = BAB™!, where A = ts a) 
is the diagonal matrix made up from the eigenvalues and B is a 


U 
matrix whose columns are eigenvectors, e.g., B = (2 a: (c) 


Since /5a > V5 frre = ak t? — alt? S gk+2 _ 1 it follows that 
k < (log(1 + V¥5a)/loga) — 2; we can also get the simpler estimate 
k < loga/ log a. The latter estimate is equal to 1.44042 -- - logoa, while 
the estimate in the proof of Proposition 1.2.1 is 2 logga. 

(b) In the sum of (logr;)(1 + log qi41), use the inequalities r; < b and 
I] ai+1 < a. Conclude that the sum is bounded by O((log6)(loga + 
log a)). 
(a) of +2241 =(2?)(e? +1) +1; 1=1(2t+2?4+1)—2?(2? +1). 
(b) 24 — 4x3 + 62? — 42 +1 = (2 — 3)(x? — 2? + 2 — 1) + (22? — 2), 
g®—2*+2—1 = ($a—4)(20?-2)+(2r—2), 2n?-2 = (x+1)(2e—2), 
so the g.c.d.ist—1; 2—1=(—$2+4)f+ (fo? -2+ 3)g. 
g.c.d.(f, f’) = 2? — x — 1, and the multiple roots are the golden ratio 
and its conjugate (1 + V5) /2. 

(a) 5+6i = 2i(3—2i) +1; 1 = 1(5+6i) —2i(3—2%). (b) 8—19i = 2(7- 
11i)+(—6+3i), 7—11i = (—2+i)(-6+3i)+(—2+i), —6+3% = 3(-2+ 
i), 80 —-2+7 is the g.c.d.; —2+% = (3+ 21)(7 — 114) + (2—i)(8— 194). 
(a) 12? + 257; (b) 54? + 317; (c) 116? + 159? 
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§1.3. 


1. 


2. 
3. 
4. 


10. 


11. 
12. 


(a) c = 6+7n, n any integer; (b) no solution; (c) same as (a); (d) 
219 + 256n; (e) 36 + 100n; (f) 636 + 676n. 

0, 1, 4, 9. 

3, B. 

The difference between n = 10*-1d,_1 +---+10d, + dp and the sum 
of the digits d,_1 +---+d, + dp is a sum of multiples of numbers of 
the form 10/ — 1, which is divisible by 9. 

Prove separately that it is divisible by 2, 3 and 5. 

Let x and y be the two digits. Then 72 — and hence both 8 and 9 — 
divide the cost 1000z + 60+ y cents. Thus, 8|60+y, which means that 
y =4, and then 9|1000z + 64, which is = 2 +1 mod 9. So x = 8. Thus 
each tile cost $1.12. 

(a) For example, suppose that m = 2p% Since m|(x?—1) = (x+1)(z-1), 
we must have a powers of p appearing in both +1 and x—1 together. 
But since p > 3, it follows that p cannot divide both x+ 1 and x—1 
(which are only 2 apart from one another), and so all of the p’s must 
divide one of them. If p*|z + 1, this means that + = —1 mod p®; if 
p*|z—1, then x = 1 mod p* Finally, since 2|x? —1 it follows that 2 must 
be odd, i.e., = 1 = —1 mod 2. Thus, by Property 5 of congruences, 
either z = 1 mod 2p* or z = —1 mod 2p. (b) First, if m > 8 is a 
power of 2, it’s easy to show that c = m/2 +1 gives a contradiction 
to part (a). Next, suppose that m is not a prime power (or twice a 
prime power), and p®||m. Set m’ = m/p% Use the Chinese Remainder 
Theorem to find an x which is = 1 mod p®* and = —1 mod m! Show 
that this x contradicts part (a). 

Pair every integer from 1 to p — 1 with its multiplicative inverse. Ac- 
cording to Exercise 7(a), only 1 and —1 are their own inverses. Thus, 
when the p— 1 numbers are multiplied, each pair containing two num- 
bers which are each other’s inverses must cancel, leaving just 1 and 
—1. 

Of course, 4 has the desired property, but it is not a 3-digit: number. 
By the last part of the Chinese Remainder Theorem, any other number 
which leaves the right remainders must differ from 4 by a multiple of 
7-9-11 = 693. The only 3-digit possibility is 4+ 693 = 697. 

One can apply the Chinese Remainder Theorem to the congruences x = 
1 mod 11, z = 2 mod 12, x = 3 mod 13. Alternately, one can observe 
that obviously —10 leaves the right remainders, and then proceed as 
in Exercise 9 to get —10 + 11-12-13 = 1706. 

(a) 1973; (b) 63841; (c) 58837. 

The quotient leaves remainders of 5, 1, 4 when divided by 9, 10, 11, 
and so (by the Chinese Remainder Theorem) is of the form 851+990m. 
Similarly, the divisor is of the form 817 + 990n. Since the divisor has 
3 digits, n = 0. Since the product has 6 digits, also m = 0. Thus, the 
answer is 851. 
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The most time-consuming parts of implementing the Chinese Remain- 
der Theorem are: (i) computing M; (ii) computing M; = M/m, for 
each of the r different i’s; (iii) finding the inverse of M; modulo m; for 
each 4; (iv) multiplying out a;M;,N; in the formula for x for each i; (v) 
dividing the resulting x by M to get the least nonnegative value. We use 
O(log B) for the number of bits in the m; or a; or N;, and O(r log B) 
for the number of bits in M or the M;. This gives O(r2log?B) for 
the number of bit operations to do (i)—(ii), (iv)-(v). In (iii), we need 
O(r?log*B) bit operations to reduce each of the M; modulo the cor- 
responding m; before taking the inverses, and then O(r log? B) bit op- 
erations to find all r inverses by the Euclidean algorithm. This gives 
the combined estimate O(rlog?B(r + log B)). Whether the r?log?B 
term or the rlog?B term dominates depends on the relative size of r 
and log B (i.e., the number of equations and the number of bits in our 
moduli). 

3Q1+2+2°+2° = 38.2. 16-63 = 79 mod 103. 

If we use the O(k”) estimate for the time to perform one multiplica- 
tion of k-bit integers (as we have been doing), then there is no sav- 
ing of time. In fact, the very last multiplication already uses time 
O((nlogb)?), which is the estimate we get by multiplying b by itself 
n times. The difficulty is that, unlike in modular arithmetic, in the 
repeated squaring method we end up dealing with pairs of very large 
integers, and this offsets the advantage of having far fewer multiplica- 
tions to perform. But if we were to use a more clever way of multiplying 
two k-bit integers, for example, if we used an algorithm requiring only 
O(k log k loglogk) bit operations, then it would save time to use the 
repeated squaring method. 

(a) Repeated squaring requires O(log*p) bit operations.whereas a time 
estimate of O(log?p) can be proved for the Euclidean algorithm. (b) 
Repeated squaring still requires time O(logp), but after we perform 
the first step of the Euclidean algorithm — dividing p by a (which 
requires O(log p log a) bit operations) — the rest of the Euclidean al- 
gorithm takes O(log?a) bit operations. So the Euclidean algorithm is 
faster, especially for a very small compared to p. 


n 90 91 92 93 94 95 96 97 98 99 100 
y(n) 24 72 44 60 46 72 32 96 42 60 40 
There is no n for which y(n) is an odd number greater than 1; y(n) = 1 
for n = 1, 2; y(n) = 2 for n = 3, 4, 6; y(n) = 4 for n = 5, 8, 10, 12; 
p(n) = 6 for n = 7, 9, 14, 18; y(n) = 8 for n = 15, 16, 20, 24, 30; 
y(n) = 10 for n = 11, 22; y(n) = 12 for n = 13, 21, 26, 28, 36, 42. 
To prove, for example, that these are all of the n for which y(n) = 12, 
compare the possible factorizations of 12 (with 1 allowed as a factor 
but not 3) with the formula y([] p*) = [](p* — p*~1). One has 1-2-6, 
1-12, 2-6, and 12. The first gives 2-3-7, the second gives 2-13, the 
third gives (3 or 4) -7 and 4-9, and the fourth gives 13. 


19. 


20. 


21. 


22. 


23. 


24. 


SOS Os 
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n cannot be a prime, since if it were y(n) = n — 1. By assumption, n 
is not the square of a prime. If it were not a product of two distinct 
primes, then it would be a product of three or more primes (not nec- 
essarily distinct). Let p be the smallest. Then p < n1/3, and we have 
y(n) < n(1— 3) <n(1—- n-V3)=n-nBa Goriteadiction’ 

Show that the. square of any odd number is = 1 mod 8, and then use 
induction just as in the first paragraph of the proof of Proposition I.3.5. 
(a) Notice that 360 is a multiple of y(p%) for each p*||m. By the remark 
just before Example 3 in the text, this means that 6647°°? = 6647? = 
44182609 mod m. (Here we’re also using the fact that g.c.d.(6647,m) = 
1, which follows because 6647 = 177-23.) (b) Raise a to the 359th power 
modulo m by the repeated squaring method. Since m = (101100111)a, 
we find that there are 8 squarings plus 5 multiplications (of at most 
63-bit integers), in each case combined with a division (at worst of a 
126-bit integer by a 63-bit integer). Thus, the number of bit operations 
is at most 13 x 63 x 63 + 13 x 64 x 63 = 104013. 

(a) Show that, if = j- 4, then z generates Sy if and only if 
g.c.d.(x, d) = 1. Notice that j runs through 0, 1,..., d—1. (b) Partition 
the set Z/nZ into subsets according to which Sq an element generates. 
The subset corresponding to a given Sq has y(d) elements, according 
to part (a). 

(a) Expand each term in the product in a geometric series: (1 + ; + 
a + s +--+), In expanding all the parentheses, the denominators will 
be all possible expressions of the form py! p$? --- p@: According to the 
Fundamental Theorem, every positive integer n occurs exactly once as 
such an expression. Hence, the product is equal to the harmonic eetiee 
+72. 4, which we know diverges. (b) First prove that for x < 5 we 
have = > —hlog(1 — 2) (look at the graph of log). Apply this when 
r= cf and compare a 1 with the log of the product in part (a). (c) 
For any ecole: of prime numbers n approaching infinity we have 
ee) =1- 1 — 1; for any sequence of n’s which are divisible by 
increasingly many of the successive primes (for example, take n; = j!), 
we have ele) = TT] pn(1 - ) => TLi,t= ) = 0 by part (a). 

(a) Give p; and the residue of N modulo p; to the i-th lieutenant 
general, and use the Chinese Remainder Theorem. (b) Choose each 
pi > */N but much smaller than “WN. 


Use the same argument as in the proof of the last proposition to con- 


clude that 6¢ = +1 mod m. But since (b4)*/ 4 = _1 mod m, it follows 
that b¢ = —1 mod m and a/d is odd. 

Use Exercise 3 with a = n and c = (p— 1)/2. 

(a) 28 + 1 = 257; (b) use Exercise 4; (c) m = 97 - 257 - 673. 
2-117-13-4561, 2°-5-7-13-41-73- 6481. 

24. 3?.7-13-31- 601. 
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3?- 41-271, 3°-7-11-13-37, 37-11- 73-101 - 137. 
7-23-89-599479; 72. 127-337 (this example shows that a prime p|b? — 
in Proposition 1.4.3 may divide 6” —1 to a greater power than it divides 
b¢ — 1). 

7-31-151, 3?-7-11-31-151-331, 3?-5?-7-11-13-31-41-61-151-331-1321. 
(a) Apply side by side the Euclidean algorithm to find g.c.d.(a™ — 
1,a” — 1) and to find g.c.d.(m,n). Notice that at each stage the re- 
mainder in the first Euclidean algorithm is a” — 1, where r is the re- 
mainder in the second Euclidean algorithm. For example, in the first 
step one divides a™ —1 by a” —1 to get a” —1, where r is the remainder 
when m is divided by n. (b) By part (a) and the Chinese Remainder 
Theorem, no two numbers between 0 and J](2™ — 1) have the same 
set of remainders. This product is greater than 2/2 > 2?* > ab. For 
the time estimate, one has r multiplications of at most ¢-bit integers, 
which take O(ré*) = O(ké) bit operations. This is better by a factor of 
r than the usual multiplication of a and b (which takes time O(k?)). 


§ 11.1. 


1. 


prime p 23 5 7 11 13 #17 
smallest generator 1223 2 2 8 

number of pene 1122 4 4 8 

(a) If g?-1 = 1 mod p’, then replace g by (p+ 1)g and show that then 
one has g?~! = 1+ gip with g, prime to p. Now if g/ = 1 mod p° first 
show that p—1|j, ie., 7 = (p—1)j1, and so (1+gp)"* = 1 mod p% But 
show that (1+g9:p) = 1+ jigip+ higher powers of p, and that then 
p*—1 must divide j;. (b) For the first part, see Exercise 20 of §1.3; the 
proof of the second part (which reduces to showing that 5/ cannot be 
= 1 mod 2° unless 2%~?|j) is similar to part (a). 

Be. 

2 ford =1: X, X+1; 1 ford = 2: X7+X+4+1; 2 ford = 3: X34+X?7+1, 
X34+X41;3 ford = 4: X44+X341, X44-X41, X44X34X74X41; 
6 ford = 5: X54 X341, X94 X27 4:1, X94 X44 X34 X741, 
X54.X44.X34.X41, X94X44X74-X41, X94.X34X24X41;9 
for d = 6: X§4+.X541, X°+.X341, X§4+X41, X64. X54X44 X7241, 
X84 X54.X44X41, X84 X54 X34 X241, X84 X54 X24 K4-1, 
X64 X44.X34X41, X84 X44 X74 X41. 

3 ford = 1: X, X +1; 3 ford = 2: X74+1, X74 X — 1; 8 ford=3: 
X34 X?4(X -1), X3—X?24(X 41), X34 (X?-1), X8-X4+1; 
18 for d = 4; 48 for d = 5; 116 for d= 6. 

(pf — pf/*)/f. 

(a) gcd. = 1 = X*9g+(X+1)f; (b) gcd. = X37 4+ X?274+1=f+ 
(X? + X)g; (c) g.c.d. = 1 = (X —1)f —(X? — X +1)g; (d) g.c.d. = 
X+1=(X —-1)f — (X3 — X? + 1)g; (e) g.c.d. = X +78 = (50X + 
20) f + (51X3 + 26X2 + 27X + 4)g. 


10. 


11. 


12. 


13. 


14. 
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Since g.c.d.(f, f’) = X?+1, the multiple roots are ta”, where a is the 
generator of F9 in the text. 

(a) Raising 0 = a? + ba +c to the pth power and using the fact 
that b? = b and cP = c, we obtain 0 = (a?)? + ba? +c. (b) The 
polynomial’s two distinct roots are then a and a?. Then a is minus 
the sum of the roots, and 6 is the product of the roots. (c) (ca + 
d)?*1 = (ca? +d)(ca +d), and then multiply out and use part (b). (d) 
(2 + 34)501942)+1 — (2? 4 37)5(2 + 34) = 14(2 + 31) = 9 + 44. 

In each division of polynomials (first f by g, then r; by r;+1), after first 
finding the inverse modulo p of the leading coefficient of rj41 (which 
takes O(log) bit operations), one needs to perform O(d*) multiplica- 
tions in the field (i.e., of integers modulo p), each taking O(logp) bit 
operations. Thus, each division takes O(log°p+d*log*p) bit operations, 
and so the entire Euclidean algorithm takes O(d)-O(log*p(log p+-d”)) = 
O(dlog*p(log p+ d*)) operations. (This can be simplified to O(dlog?p) 
if d is constrained not to grow faster than /logp, and to O(d°log?p) 
if p is constrained not to grow faster than et.) 

(a) Let a be a root of X?+ X +1 = 0; then the three successive powers 
of a are a, a+ 1, and 1. (b) Let a be a root of X?+ X +1=0; then 
the seven successive powers of a are a, a2 a+1,0?+a,07+a+4+1, 
a* +1, 1. (c) Let a be a root of X3— X —1 = 0; then the 26 successive 
powers of a are a, a? a+1, a? +a, a? +a+1, a? -a41, —a?-a+1, 
—a? —1, -a+1, —a* +a, a? —a—1, —a* +1, —1, followed by the 
same 13 elements with all +’s and —’s reversed. (d) Let a be a root 
of X? — X +2 = 0; then the 24 successive powers of a are a, a — 2, 
—a—2,2a+2,—a+1, 2, then the same six elements multiplied by 2, 
then multiplied by —1, then multiplied by —2, giving all 24 powers of 


a. 
O(f2/), since for each of the O(24) powers of a one has to multiply 
the previous expression by a and, if af occurs, add the lower degree 
polynomial which equals af to the result of increasing the lower powers 
of a by 1 in the previous expression; all of this takes only O(f) bit 
operations. 

(a) p = 2 and 2f — 1 is a “Mersenne” prime (see Example 1 and 
Exercise 2 of §1.4); (b) besides the cases in part (a), also when p = 3 
and (3f — 1)/2 is a prime (as in part (a), this requires that f itself 
be prime, but that is not sufficient, as the example f = 5 shows), 
and when p is of the form 2p’ + 1 with p’ a prime and f = 1. It is 
not known, incidentally, whether there are infinitely many prime fields 
with any of the conditions in (a)-(b) (but it is conjectured that there 
are). Primes p’ for which p = 2p’ +1 is also prime are called “Germain 
primes” after Sophie Germain, who in 1823 proved that the first case 
of Fermat’s Last Theorem holds if the exponent is such a prime. 
Choose a sequence n; for which y(n;)/n; —> 0 as j —> oo (see 
Exercise 23 of §1.3) with none of the n; divisible by p, and let f; be 
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the order of p modulo n, (the smallest power of p that is = 1 mod n,). 

15. All polynomials in which XJ occurs with nonzero coefficient only if p|j. 

16. Reduce to the case when j = d by showing that, if 09(a) = a and 
of(a) = a, we have o%(a) = a (see the proof of Proposition 1.4.2). 
Notice that the field F,«, which is the splitting field of X PX , is 
contained in F,, because any root a of this polynomial also satisfies 
X14 = X (to see this, raise both sides of a’ = a to the p*t-th power 
f /d times). 

17. Show that b! = bP"-1/(P*-) is in F,« by showing that it is fixed 
under 0? (i.e., raising to the p?-th power); show see it is a generator 
by showing that all of the powers (b’)’, 7 = 0,...,p? — 2 are distinct 
(this follows from the fact that the first p” — 1 powers of b are distinct). 


§ 11.2. 

1. The sets of residues are: for p = 3, {1}; for p = 5, {1,4}; for p = 7, 
{1,2,4}; for p = 13, {1,3,4,9, 10, 12}; for p = 17, {1,2,4,8,9, 13, 15, 
16}; for p = 19, {1,4,5,6, 7,9, 11, 16, 17}. 

2. (b) From part (a) and Propositions II.2.2 and II.2.4 you know that 

(2) =1= 2-1? mod p. This means that the ((p — 1)/2°)-th power 

of 2 is = —1 mod p for some @ > 2. Since 22° = -1 mod p, you 

can show that g.c.d.((p — 1)/2%, 2*) = 2* and this immediately gives 

p = 1 mod 2*+ (c) The only prime which is = 1 mod 64 and < 65537 

is 193, which does not divide 65537. 

g.c.d.(84, 1330) = 14. 

Write (=) = =(> =1 Ne ), and consider the four possible cases of p a 8. 

(%)= a ()(#8) = a —(482)( 487) = a? = =)( 33) = _ sl Gea 1)(— 1)= 

(a) 14; (b) 9; (c) 9a. 

a® — a (see the proof of Proposition II.2.4); 6, 60, 4080, 24, 210, 336. 

Since gq = 1 (ene p, there is a as p-th root of unity € in Fo. 

Then G = Or" 1(2)€ has square (= 1)p (see the lemma in the fect 

‘< Proposition 11.2. 5). 

9. (a) ( (Soe (4)a¥; 6, 45, 3126, 906 (in the last case use: 1093 = 


(37 — 1) ia (b) Let G = OF 1 (2)24. Then the least positive square 


root of (= Ln module 2°41 i g if p='b mod 8: —g if p = 3 mod 8; 
pt+gifp= 7 mod 8; p—g if p=1 mod 8. 


DO) See oe 


10. (a) (Sot) = (Hot) = = (jar) = - (zor) (gaor) (aaor) = FS (5 GF Naz 7) = 
1-1-(3)(%) = -(3)(2) = -1. (b) (4) = CH) = (AR) = 
—(1)(07) = (Gaz) = (G73) = (7s) = CP) = (3) = (St) = (BP) = 

—() = -(}) =-1. 


11. (a) 1; (b) 1; (©) 1; (d) 1; (e) 1; (£) 4; (g) -1. 
12. 0) CB) = (IG) = DENA YEHO-I/CG) = CB, whic 
1 if and only if p= 1 mod 3. (b) (444) = -(#}*) = -(4) =-1. 


13. 
14. 


15. 


16. 


17. 


18. 


19. 


20. 


21. 
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last decimal digit being 1 or 9. 

Any power of a residue is a residue, so none of the nonresidues can 
occur as a power, and that means a residue cannot be a generator. 
(a) Since p — 1 is a power of 2, the order of any element g is a power 
of 2b Sl) = g?-1)/2 mod p, then this order cannot be less 


than p— 1. (b) Ifk >1 and p = 2?" +41, then p = 2 mod 5 (since the 
exponent of 2 is a multiple of 4). Then (3) = (2) = -1. (c) Similar to 
part (b): since the exponent of 2 is not divisible by 3, it follows that 
the power of 2 is = 2 or 4 modulo 7; hence p = 3 or 5 mod 7, and 
(7) =(#) =-1. 
(a) We have (a + bi)?*? = (a? + bPi?)(a + bi) = (a — bi)(a + bi) = 
a? + b% Claim: If (a + bi)™ € F,, then p+ 1|m. To prove the claim, 
let d = g.c.d.(m,p +1). Using the same gle as in the proof of 
Proposition 1.4.2, we see that (a+ bi)? € But since p+1 is a power 
of 2, ifd< pt 1 we find that (a + bi) oe is an element of F, whose 
square is a? + b*. But a? + 0? is not a residue (by Exercise 14). Hence, 
d=p+1 and p+1|m. Now that the claim has been proved, suppose 
that n = n'(p + 1) is such that (a + bt)" = 1 (note that p + 1|n by 
the claim). Then (a? + b*)™ = 1, and so p— 1|n’ because a? + b? is a 
generator of F¥. (b) Show that 17 and 13 are generators of F3). 
In both cases you get O(log?p). But note that Proposition II.2.2 applies 
only for (£) when n = p is prime, whereas the method in part (a) 
applies generally for any positive odd n. Also notice that the time for 
part (a) can be reduced to O(log*p) by the method used in Exercise 
11 of §1.2. 
(a) Solve by completing the square; show that the number of solutions 
is the same as for the equation z? = D mod p. There is 1 solution if 
D =O, none if D is a nonresidue, and 2 if D is a residue. (b) 0, 0, 2, 
1, 2; (c) 2, 2, 1, 0, 0. 
n = 3; p—1 = 2.65; r = a? = 203 mod p (we compute 
30233 by the repeated squaring method, successively squaring 5 times 
and multiplying the result by 302); also by the repeated squaring 
method we compute b = n® = 888 mod p; one takes j = 2?, ie., 
302 mod p = b*r = 1292 mod p. 
(a) Use induction on a. To go from a — 1 to a, suppose you have an 
(a—1)-digit base-p integer % such that £? = a mod p*~!. To determine 
the last digit r.-1 € {0,1,...,.p—1} of r = $+ 2q-1p*"} write 
£* = a+bp%~! for some integer b, and then work modulo p® as follows: 
= (£+ fq-1p? 1)? = & + W2zoty-1p*) = a+ p* "(b+ W2zora-1). 
So it suffices to choose rg-1 = —(2r%9)~1b mod p (note that 229 is 
invertible because p is odd, and a = x2 mod p is prime to p). (b) Use 
the Chinese remainder theorem to find an z which is congruent modulo 
each p® to the square root found in part (a). 
(a) If (*) were true for b; and for bbe, then dividing the two congru- 
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22. 


23. 
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ences would give (*) for be (since both sides are multiplicative). Next, 
suppose (*) were false for some b. Then the set of b’s obtained by 
multiplying b by all the elements for which (*) is true would consist of 
elements for which (*) is false. (b) For example, take b = 14+n/p, where 
p’|n. Then (2) = 1, but 0 = 1 only when p|j, which is not the case for 
j = (n—1)/2. (c) Show that (2) = —1 but that b(°-))/? = 1 mod n/p 
and hence one could not have b(°-!)/2 = —1 modulo n/p, let alone 
modulo n. Next, let a; be any nonresidue modulo p, and let a2 = 1. Use 
the Chinese Remainder Theorem to find a solution b to: x = a, mod p, 
ZL = a2 mod n/p. 

= (t+a)P(t+a) =(t+a?)(t+a) =(t—a)(t+a) =t?-a? =a, 
where the third equality comes from the fact that a = Vt? —a has 
conjugate a? = —\/t? — a; note that b must be in F,, since a has two 
square roots in F, by assumption, and so its square roots in F,2 are 
actually in Fp. 

Let b be the least positive residue of n’—")/4 modulo p; then 6 is a 
square root of —1 modulo p, ie., pb? + 1. Now compute c+ di = 
g.c.d.(p,b + 4) (see Exercise 14 of §1.2). 


§ TIL.1. 


1. 


A hk ae 


“We sewed a smile on a horse’s ass, and a year later it was elected 
President.” 

Use the fact that “X” occurs most frequently in the ciphertext to find 
that b = 19. The message is: WEWERELUCK YBECAUSEOFTEN 
THEFREQUENCYMETHODNEEDSLONGERCIPHERTEXT. 
THRPXDH. 

SUCCESSATLAST. 

AGENT 006 IS DEAD _ 007. 

You find 9 possibilities for a’ and ’: a’ = 1, 4, 7, 10, 13, 16, 19, 22, 25, 
and b’ = 21, 6, 18, 3, 15, 0, 12, 24, 9, respectively. Since you have 
no more information to go on, simply try all nine possibilities; it turns 
out that only the third one P = 7C + 18 mod 27 gives a meaningful 
plaintext. The plaintexts of the nine tranformations are, respectively: 
“I DY IB RIF” “I PS IH RIX” “I AM IN RIO” “I MG IT RIF’; 
“T YA IZ RIX” “I JV IE RIO”® “I VP IK RIF’ “I GJ IQ RIX’ 
“I SD IW RIO”. 

(a) N; (b) Np(N) = NJ] w(1— 5); (c) 312, 486, 812, 240. 

(a) If a # 1, then the congruence (a — 1)P = —b mod N has exactly 
one solution in the field Fy = Z/NZ. (b) P = 0 is always fixed; for N 
even (so a must be odd) the congruence (a — 1)P = 0 mod N at least 
has the two solutions P = 0 and P = N/2. (c) Any example with NV 
even and b odd; more generally, any example in which 6 is not divisible 
by g.c.d.(a — 1, N). 

N?p(N?) = N4 jw - ra 210,912; 354,294; 682,892; 216,000. 


10. 


11. 


12. 
13. 
14. 


15. 
16. 
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(a) a’ = 435, b' =64; “FOUNDTHEGOLD”; (b) a=115, b= 76; 
“AWOFUWAE.” 

(a) You cannot find the key from the first two congruences; but sub- 
tracting the third from the first gives 139a’ = 247 mod 900, and then 
a’ = 73, b'= 768; “ARE YOU JOKING?”; (b) a= 37, b= 384; 
“FWU ORI DCCUVGA .” 

“CCCP” which is Russian for USSR. 

P = 37P + 384 mod 900 leads to 3P = 43 mod 75; none. 

(a) The product of J = P+b, mod N and C = I+b2 mod N is C = P+ 
b mod N with b = b; + bg. (b) The product is the linear transformation 
with a = a) - ag. (c) The product is the affine transformation with 
a@=a,- a2 and b=agq:b; + bo. 

P = 642C + 187 mod 853; “DUMB IDEA .” 

First compute J = 201C + 250 mod 881 and then P = 3317 + 
257 mod 757; “NO RETREAT.” 


§ III.2. 


1. 


The key-word for enciphering is “SPY.” The plaintext (with blanks 
and punctuation inserted for readability) is: “I had asked that a cable 
from Washington to New Delhi summarizing the results of the aid con- 
sortium be repeated to me through the Toronto Consulate. It arrived 
in code; no facilities existed for decoding. They brought it to me at 
the airport — a mass of numbers. I asked if they assumed I could read 
it. They said no. I asked how they managed. They said when some- 
thing arrived in code, they phoned Washington and had the original 
message read to them.” (John Kenneth Galbraith, Ambassador’s Jour- 
nal, quoted by G. E. Mellen in “Cryptology, computers and common 
sense,” vol. III of Computers and Security.) 


3 2 19 10 11 11 820 0 
OC Tee te) Ge a Cy an 
(e) a “) 

546 353 
(a) (°); (b) none (since multiplying the second congruence by 2 and 
subtracting from the first gives 6y = 8 mod 9, which would mean 3)8); 


(c) (q), (> Gs @ G)s (> G)- 

(a) (4); (b) (0); (c) any vector with y = 2, ie., (9), (}), (3), ete; 
(d) any vector of the form Ge) (e) none. 

(a) (759); (b) (253); (©) Co) (A) C6)» Gos)» (zor0)» Coa)» Caos)» (Sos) 

(s08)> (202)> (roz)> (ior)» (e06 )s (€) add (G99) to any of the 11 vectors 
in part (d) and reduce mod 1111. 

Use mathematical induction, proving the assertion for n = 1, 2,..., b 


by inspection and then proving that the assertion for n implies the 
assertion for n + b. Namely, compute: 
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Gan nto ) 


fr+d  fn4b-1 


(ra) (0) Ga) 
1 0 1 0 

= (4 a ee ss) 

(6) et) 


Cin Cin 
= (he ae TRG, 


where c € (Z/aZ)* and use the induction assumption. (It can be proved 
that for any integer a there is an integer b such that a|f,, <> b|n, and 
that if @ = p* is a power of a prime p # 5, then b is a divisor of 
p*—1(p* — 1); the proof uses a little algebraic number theory in the 
real quadratic field generated by the golden ratio — note that the 
golden ratio and its conjugate are the eigenvalues of the matrix in the 
definition of Fibonacci numbers.) 


wets & :) , “SENATORTOOK.” 


18 
A= & i “MEET AT NOON.” 
22 20 3 7 
a1 “ 2? ”, = 
A 33): “WHY NO GO? MARIA"; A ie 


“JIMLD W EFWJV.” 
“CJIABA KIICC’, which is Russian for GLORY TO THE CPSU 
(Communist Party of the Soviet Union). 


. The product epee has enciphering matrix A2A. 


“2CVK”; first apply 28) to the ciphertext vector, working mod- 
9 20 


ulo 29, and then apply ee Z ) to the resulting vector, working mod- 
ulo 26; “STOP.” 

By Proposition 3.2.1 (namely, (b) false implies (c) false), there ex- 
ists a nonzero vector which the matrix A takes to (3). That plaintext 
digraph-vector can be added to any plaintext digraph-vector without 
changing the corresponding ciphertext. 

Here the ciphertext is 


18 6 11 10 29 14 16 11 14 10 11 21 
26 13 8 #3 10 25 11 8 12 20 27 24 


and the last three columns of plaintext are (Ce a mn The de- 
terminant of the matrix formed by the first two of the latter three 
columns is 20 mod 30, which is not invertible modulo 30 but is invert- 


ible modulo 3. The determinant of the matrix formed by the second 
and third columns is 9 mod 30, which is not invertible modulo 30 but 


15. 


16. 
17. 
18. 


19. 
20. 


21. 
22. 
23. 


24. 


25. 
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is invertible modulo 10. Working with the first two columns modulo 
é -1 _ (10 17 10 11\-1 _ /1 2 1 2\-1 

3 gives A™® mod 3 = e: nh) (30 27) = (6 3) (3 a) 

= Gi a Similarly, working with the last two columns modulo 10 


gives A! = ( 3): By the Chinese Remainder Theorem there is 


a unique matrix A~! modulo 30 that satisfies these two congruences: 


Als ( pate ) . The plaintext is “GIVE THE PLANS TO KARLA.” 


Here the ciphertext is oi ge a a " - a oy) and the first 
three columns of plaintext are (3 a In attempting to use 
A-1 = PC} note that the matrix formed from the first two di- 
graphs of C’ has determinant whose g.c.d. with 30 is 6. Using the 
Ist and 3rd digraphs improves the situation: det(3y is) = 4, and 
g.c.d.(4, 30) = 2. Use this matrix for C and work modulo 15 to find 


that At = (2 2) 4 15A,, where A; € M2(Z/2Z). Use the fact that 
8 4 


-1/10 22 26\_(2 8 0 -1\: 
A Gt 97 ‘9) = (3 29 ds) and the fact that det(A~*) is odd 
17 2 17 2 


to show that either A~! = ( 8 3 or es io The first possi- 
bility gives the plaintext message “C.I.A. WILLLHTLA;” the second 
possibility gives “C.I.A. WILL HELP.” 

Use the Chinese Remainder Theorem. 

(p? — 1)(p? — p). 

The determinant has no common factor with p® if and only if it has 
no common factor with p; p*-3(p? — 1)(p — 1). 

N*T] iw (1 — 5)(1 — 2); 157248, 682080, 138240. 


NO) Th w(t - 3) - 3)---(- 2). 

N® TJ uw (1 — 3)(1 — 35); 106,299,648; 573,629,280; 124,416,000. 

(a) (p? — 1)(p? — p); (b) p? —p. 

(a) Ap = Ge a (b) (iy (c) six (this agrees with Exercise 22(b), 
where p = 3); they are: A=(¢ 7), where (2) = (38), (3)> (is)> (8) 
(2) or 

(a) g.c.d.(det(A — I), N) =1, where det(A — I) = (a—1)(d—1) — bc 
(apply the (a)<=>(c) part of Proposition 3.2.1 with A replaced by 
A-I= ee ; Pu i): (b) Let Fy be the field Z/NZ. The digraphs 


c 
are a 2-dimensional vector space, of which the fixed digraphs form a 
subspace. Any subspace that contains more than the zero-vector must 
either be 1-dimensional, in which case it has N elements, or else contain 
all digraphs, in which case A = I. 


_ _ (14 781 pf BBN od 
(a) P=A'C+B A= (gh OR), BY = (303); “HIT ARMY 
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10 7 
(312); “INJUFYKTEGOUL IB!VFEXUNJHALGQGJ” 


26. 298(29? — 1)(29? — 29) = 341, 208, 073, 352, 438, 880. 
27. 91,617,661,629,000,000. 


BASE! HEADQUARTERS’ (b) C= AP+B, A= (1% %), B= 


18 21 19 
28. A= (3 : ) “SENDROSESANDCAVIARJAMESBOND.” 


§IV.1. 

1. (3) =m(m — 1)/2 for classical; m for public key; 499500 versus 1000 
when m = 1000. 

2. Here is one possible method. The investors and stockbrokers use a sys- 
tem with P = C. Then user A sends a message to user B by taking 
each message unit P and transmitting fp f,'(P). Each message in- 
cludes an identification number. Then user B must immediately send 
an acknowledgment message which includes the identification number 
of the message received from A. User B transforms each message unit 
P of the acknowledgment message to fa fz '(P) before transmitting it 
(this is completely analogous to A’s double enciphering of the original 
message). If A does not receive an acknowledgment message very soon 
after sending his message, he repeats the message until he does. Later, 
after the stock loses money or for some reason there is a dispute about 
who sent what message, the stockbroker can prove that a message was 
sent by A, because no one except A (and the judge) has the infor- 
mation necessary to produce a message that can be read by applying 
fafs 1 Similarly, A can prove that a message with a given identifica- 
tion number was received by B (since no one else could have sent the 
acknowledgment message), and so B can be required to produce the 
message for the judge. 

3. A public key cryptosystem is agreed upon which uses random inte- 
gers (subject to some conditions, perhaps) to form enciphering and 
deciphering keys according to some algorithm. The computer is then 
programmed to generate random integers which it then uses to form 
a pair of keys K = (Kg, Kp). The computer transmits Kp (not Kz) 
to the outside world and keeps Kg (not Kp) to itself. Thus, anyone 
at all can read its messages, but no one at all can create a message 
that can be deciphered using the deciphering algorithm with key Kp. 
(This is the reverse of the usual situation in public key cryptography, 
where anyone can send a message but only the user with the secret key 
can read it.) It is possible for the scientists working jointly to program 
the computer to generate random numbers in a way that no one can 
predict or duplicate once the computer is “on its own.” (Note the pro- 
found realism of this example, which assumes that the two countries 
have infinite mistrust of each other and at the same time infinite trust 
of computers.) 
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Bjorn chooses at random an element p €.P, computes c = f(p) and 
sends Aniuta c. Aniuta then computes the two preimages p, and po 
and sends only one of them, say p;, to Bjorn. If p; 4 p, then Bjorn can 
name both preimages p; and p2 = p, in which case we say that Bjorn 
wins; otherwise, Aniuta wins. If Aniuta wins, she has to produce the 
second preimage, which Bjorn can verify does in fact satisfy f(p2) = 
c (otherwise, Aniuta could cheat by choosing an improper key, for 
which each c has only one preimage). (Aniuta would have no interest 
in choosing a key for which each c has more than two preimages, since 
that would just lessen her chances of sending Bjorn the preimage that 
he already knows.) 


§IV.2. 


1. 


os 


(a) BH A 2AUCAJEARQ(; (b) 2047 = 23-89 (see Example 1 in §1.4), 
d4 = 411; (c) since y(23) and y(89) have small least common multiple 
88, any inverse of 179 modulo 88 will work as dy (e.g., 59). 

na is the product of the Mersenne prime 8191 and the Fermat prime 
65537 — a flamboyantly bad choice; d4 = 201934721; “DUMPTHE- 
STOCK.” 

(a) STOP PAYMENT;; (b) (i) 6043; (ii) nm = 113-191. 

On the third try t = 152843, 152844, 152845 you find that t? —n = 804? 
and so p = 152845 + 804 = 153649, g = 152845 — 804 = 152041. 

To show that one cannot feasibly compute the companion element in P 
that has the same image as a given element, we suppose that a person 
who knows only Kg (i.e., knows n but not its factorization) obtained 
a second pair +z2 with the same square modulo n as +z,. Then show 
that g.c.d.(z1 + £2,n) is either p or q. In other words, finding a single 
pair of companion elements of (Z/nZ)* /+1 is tantamount to factoring 
n. 

It suffices to prove that a?’ = a mod p for any integer a and each 
prime divisor p of n. This is obvious if pla; otherwise use Fermat’s 
Little Theorem (Proposition 1.3.2). 

If m/2 = (p — 1)/2 mod p — 1, then a”/? = (¢), which is +1 half the 
time and —1 half the time. In case (ii), use the Chinese Remainder 
Theorem to show that the probability that an element in (Z/nZ)* isa 
residue modulo p and the probability that it is a residue modulo q are 
independent of one another, i.e., the situation in case (ii) is like two 
independent tosses of a coin. 


SI1V.3. 


1. 
2. 


(a) 24, 30, 11, 13; (b) 1,0? +a,a,a+4+1. 

(i) To justify moving the a to the left, notice that if x < y(3%) is the 
solution of 27a = 1 mod 3%, then y(3%) —z is the solution of the original 
congruence. If a = 2 mod 3, then solve the problem 27(2a) = 1 mod 3°, 
in which we do have 2a = 1 mod 3, and then x +1 is the solution of the 
original congruence. If a = 1 mod 3, then the solution z must be even, 
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because 2°44 = 2 mod 3. (iii) To show that (+); holds after choosing 
@j-2 = (1—aj;-1)/37-} you compute the left side of (*); modulo 3/ as 
follows: it equals a;_ 195 ig — 3 (oe ay 2)9524 1’, and then show that 


(1+ 3)?" *nj-2 = 14 37- "Dj 2 mod A (use the binomial expansion). 
Thus, the left side of (*); is = (1 — xf 93°5-1)) = 1 mod 3%. Finally, 
to estimate the number of bit apats obs. note that each time step 
(iii) is performed one does a couple of multiplications and reductions 
(divisions) with integers having O(a) bits, i.e., each step takes O(a”) 
bit operations; thus, the whole thing takes O(a?) bit operations. 

(a) To make your computation of (g°)* in F312 easier, use the fact that 
(c+ di)®? = c? + d?; you find that A+ Bi = 26 + 28i; (b) 20 + 13%; (c) 
P =6C + 18 mod 31; (d) YOU’RE JOKING! 

(a) Kz = 1951280, its least nonnegative residue modulo 264 is 7-263 + 
0 - 26? + 13 - 26 + 6; but you have to add 1 to this in order to get an 


invertible enciphering matrix (a5 73 (b) i rE DONOTPAY. 


The f,’s must commute, ie., fafa = fafa for all pairs of users A 
and B; you need to use it with a good signature scheme (as explained 
in the text); and it must not be feasible to determine the key for f 
from the knowledge of pairs (P, fa(P)). For example, a translation 
map fa(P) = P+bora linear map f4(P) = aP has the first property 
but not the last one, since knowing any pair (P, P + 6) (or (P, aP)) 
immediately enables anyone to find b (or a). The example in the text 
satisfies this property because of our assumption that the discrete log 
problem cannot be solved in a reasonable length of time. 

P = 6229 =“GO!” 

(a) First replace « by p — 1 — x so as to reduce to the equivalent 
congruence g*a = 1 mod p. Set | = 2k and x = rot2a1+-- -+2'-19) 4. 
Define gj = g? mod p and a; = gro t2e1+--+27~"25-1@ mod p (with 
ao taken to be a). At the j-th step, compute Gs = +1, and set 
3-1 = 0 es it - +1 and z;_; = 1 if it is —1; also compute g; = 93 45 
and a; = g;7;’. When j = 1, you’re done. (b) O(log*p). (c) k = 7912. 
THEYREFUSEOURTERMS. 

To find x, Alice converts the congruence g° = y"r™ = g*"+** to the 
congruence S = ar + kx mod p — 1, which has solution z = k71(S — 
ar) mod p — 1. Bob knows p, g, and y = ya, and so can verify that 
g° =y"r* mod p once he is sent the pair (r, z) along with S. Finally, 
someone who can solve the discrete log problem can determine a from 
g and y, and hence forge the signature by finding z. 

107. 

(a) 9/128 = 7.03%, 160/1023 = 15.64%; (b) 70/2187 = 3.20%, 
1805 /29524 = 6.11%. (See the corollary to Proposition II.1.8.) 

(a) Neglect terms beyond the leading power of p. Then the number of 
monic polynomials is (p”* — 1)/(p—1) ~ p”. The number of products 
of degree < n can be neglected. The number ny of irreducible monic 
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polynomials of degree f is + (pi —Dacs, ap Ma) © z. The number of 
products of degree n is then the following sum taken over all partitions 


n= iy tad (ia > 0): 


3 ny +i, -1 se Nm ttm —1 
44 dm 
1 


Thus, 
m ay 
Ptn.m) = S([] sie!) 
d=1 


This is obviously > 0; to see that P(n,m) < 1, notice that there are 
approximately p”/n monic irreducible polynomials of degree n, and so 
the probability that a monic polynomial fails to factor as desired is 
at least 1/n. (b) gion, o<i,j (27i5!) 1. (c) P(3, 2) = 2/3, P(4,2) = 
5/12, P(5,2) = 13/60, P(6,2) = 19/180, P(7,2) = 29/630. 


gIV.4. 


1. 
2. 


IV.5. 


ror Dm ww 


(a) yes, 1; (b) yes, 0; (c) no, 2; (d) no, 0; (e) yes, 1; (f) no, 1. 

(a) Use induction on k. (b) To show the second part, let v; be strictly 
greater than 1+ vj;-1 +---+ vo, and set V = v; — 1. 

Use induction. 

(a) INTERCEPTCONVOY; (b) 89, 3, 25, 11, 41, 60, 65. 

FORMULA STOLEN! 

BRIBE HIM! 


2T to 1. 

(a) The numbers e and z + e modulo N that Vivales receives in steps 
(2) and (3) are in the range from 0 to N — 1; so after a large number 
of trials Vivales will get a good idea of the magnitude of N. (b) Let N’ 
be a very large multiple of N, and replace N by N’ in steps (1) and 
(3). 

The values Vivales receives in step (3) are upper bounds for z. The 
values Clyde sends in step (3) are not bounded from below, unlike the 
values z + e that Picara sends. 

Picara would have y as her public key; signing a document would con- 
sist of convincing the recipient that she knows its discrete log x. 
Knowing the factorization enables one to take square roots, using the 
method at the end of §I1.2 along with the Chinese Remainder Theo- 
rem (see also Exercise 5 of §IV.2). Conversely, suppose you have an 
algorithm to take square roots. Then choose a random number z, and 
apply the algorithm to the least nonnegative residue of 2? mod n. The 
result will be x’ such that x’? = 2? (mod n). There is a 50% chance 
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that x’ # +z (mod n), in which case you immediately obtain a non- 
trivial factor, i.e., g.c.d.(a'+2,n). By repeating the procedure T times, 
you have probability 1 — 2-7 of factoring n. 

Yes. Suppose that another person Picarag playing the role of Picara 
intercepts the message (b¥ , b¥?, a1, a2) that Picara sent to Vivales, and 
wants to fool Vivales into believing that she also knows the factoriza- 
tion of n (or the 3-coloring, or the discrete logarithm, etc.). Suppose 
also that Vivales will not accept from Picarag a repetition of the exact 
same four-tuple that Picara sent. Without knowing Picara’s secret ran- 
dom integers y;, y2 or her messages m1, mz or the discrete logarithm of 
either G, or G2, Picarag has no way to construct a different four-tuple 
that gives Vivales the impression that she knows the factorization. 
Picara randomly selects 0 < x’ < N, and sends Vivales y’ = 6’. 
Then the two messages for oblivious transfer are m, = 2’ and m2 = 
xz +z! (mod N). Vivales verifies either b* = y’ or else b*+*’ = yy’. 
If the procedure is repeated T times, then the odds against Picara 
being lucky (i-e., being able to fool Vivales into thinking she knows the 
discrete log of y) are 27 to 1. 

Vivales can easily get Picara to betray the factorization of n, as follows. 
He randomly chooses integers z until he finds a z whose Jacobi symbol 
modulo n is —1. He then sends Picara y = z* mod n. Picara replies with 
the value x? of a square root of y mod n which is different from +z. 
Vivales can now find a nontrivial factor of n, namely, g.c.d.(x? + z,n). 
The proof of zero knowledge transmission using a simulator Clyde will 
not work. Another problem is that Picara would have to be certain 
that every y; had been produced by the trusted Center, and not by 
Vivales pretending to be the trusted Center. 


§V.1. 


1. 


(a) 4, 11; (b) 8, 13; (c) see part (d); (d) Show that n-1 = 
p — 1 mod 2p — 2, so that b"-! = 1 mod p, and b""! = b(@p-1-1)/2 
= (5%) mod 2p — 1. Then b"-! = 1 mod p(2p — 1) if and only if 
(gz) = 1. 

(a) Use the fact that n = n'p = n'(p—1+1) =n! mod p—1. (b) Use 
part (a) with n’ = 3 to conclude that p would have to be a divisor of 
2? —1, 5?—1, 7? —1. (c) p would have to be a divisor of 24 — 1, 34-1, 
74 — 1. (d) Any smaller n would be the product of 2 primes greater 
than 5 (by part (c)). Then check 49 and 77. 

Divide the congruence (1) with n = p* by the congruence pP’-P = 
1 mod p?, which always holds by Euler’s theorem (Proposition 1.3.5). 
(a) 217; (b) 341. 

(a) First suppose that n is a pseudoprime to the base b. Since n — 1 = 
pq —1=q-—1 mod p—1, you have b?-! = 1 mod p; but since b?-1 = 
1 mod p always by Fermat’s little theorem, and since d is an integer 
linear combination of p— 1 and q — 1, it follows that b¢ = 1 mod p. 


10. 


12. 
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Interchanging the roles of p and q gives b¢ = 1 mod q, and so b4 = 
1 mod n. The converse is similar (actually, easier). There are d? bases 
in (Z/nZ)*. (b) four: £1, (4p + 1). (c) d?/y(341) = 100/300 = §. 
(a) See part (b). (b) Since N — 1 = b(b"-! — 1)/(b — 1), where the 
numerator is divisible by n (because n is a pseudoprime to the base 
b) and the denominator is prime to n, it follows that n|N — 1. Since 
” =1 mod N (namely, (b—1)N = b” — 1), we have bN-1 =1 mod N. 
One must also show that N is composite, but this is easy if we use the 
fact that n is composite by assumption (see the corollary to Proposition 
1.4.1). The fact that N is odd (whether b is odd or even) follows by 
writing N in the form b°-! + 6°-2+...+6+41. (c) Start with 341, 
91, or 217, respectively, and use part (b) to find a sequence of larger 
and larger pseudoprimes. Note that the condition g.c.d.(b—1,n) =1 
always holds when b = 2,3,5. (d) 15 is a pseudoprime to the base 4, 
but N = (4!° — 1)/3 is not. (To see the latter, note that 4 has order 15 
in (Z/NZ)*, but N — 1 = 4(414 — 1)/3 is not divisible by 3, let alone 
15.) 
(a)n= (25) (F24) (b) Note that n is odd (see the answer to 7(b) 
above), and so 2|n — 1. Next, since (n — 1)(b? — 1) = 6?(b2?-) — 1) = 
0 mod p and p does not divide (b+ 1)(b— 1) = b? —1, it follows that 
p|n — 1. (c) Since n is an odd composite number, b?? = 1 mod n, and 
2p|n—1, it follows that n is a pseudoprime to the base b. Since there are 
infinitely many primes greater than b+ 1, in this way we get infinitely 
many pseudoprimes to the base b. 
(a) 32046 = 1013 mod 2047, so (1) fails for b = 3. (b) If composite, they 
will still be pseudoprimes to the base 2. To see this for n = pt 1, 
we note that 22° = —1 mod n, and then 2"-! = 1 mod n can be 
obtained from this by repeated squaring. For n = 2? — 1, we have 
n— 1 = 2(2?-1 — 1) =0 mod p, and so 2? =n+1=1 mod n implies 
2”-1 = 1 mod n. Using (2) with b = 2 also won’t work, since both sides 
will be 1, even if the number is composite. Using (3) with b = 2 also 
won’t work: for a Fermat number this follows because 22" = —1 mod n, 
and for a Mersenne number it follows by Proposition V.1.5. 
Expand the parentheses to show that n — 1 is divisible by 36m, and 
hence by 6m, 12m, and 18m. 
We suppose p < q. The technique to answer (a)-(b) is given in part (c). 
(a) 561 = 3-11-17; (b) 1105 = 5-13-17; 2465 = 5-17-29; 10585 = 5-29-73. 
(c) Suppose p < qg. Since g — 1|rpg — 1 = rp— 1 mod q — 1, we must 
have rp — 1 = a(q—1) for some a, 1 < a <r. Also p— 1|rg—1, and so 
p—1ja(rq—1) = r(aq)—a = r(a+rp—1)—a = (r—1)(a+r) mod p—1. 
Thus, with r fixed and for each fixed a from 2 to r — 1, there are only 
finitely many possibilities for p, namely, the primes such that p— 1 
is a divisor of (r — 1)(a+ 1). Then each prime p uniquely determines 
q, because rp — 1 = a(q — 1). Of course, not all a and p lead to a 
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Carmichael number (for example, a might not divide rp — 1). 

Any Carmichael number not listed in Exercise 12(a)-(b) must be at 
least a product of three distinct primes all > 7. 

n=21,b=8. 

(a) By Exercise 1(d), we need only look at the b for which b?-1 
(sq) = 1 mod 2p—1. Since n—1 = p—1 mod 2p—2, we have b("—1)/2 
b(?-1)/2 mod p and mod 2p — 1, i.e., b—))/2 = o-1)/2 mod n. Now 
(2)= (3°7)(2) = (2) = b(°-1)/2 mod p, so condition (2) holds if and 
only if b(®-1)/2 = (2) mod 2p — 1. This holds for exactly half of all b 
for which b?—! = 1 mod 2p — 1 (since in (Z/(2p — 1)Z)* such b must 
be a power g/ of a generator g such that +7 = 0 mod 4 if (2) =1, 
Boj = 2 mod 4 if (2) = —1). (b) n = p(2p — 1) where p = 3 mod 4 
(by Proposition V.1.5). 

Compute n modulo 72m: n = 36m? + 36m +1. Thus, 24 = 18m(m+ 
1) mod 36m. If m is odd, this means that we always nave p(r-1)/2 = 
1 mod n (because p — 1|36m for each p|n), and so (2) holds if and 
only if (2) = 1, ie., 50% of the time. If m is even, we still have 
b("-1)/2 = 1 mod 6m +1 and mod 18m + 1, while b(-)/2 = 56" = 
(z24q) mod 12m + 1. Thus, in that case (2) holds if and only if 
(q2a7) = 1 (so that b°-1)/? = 1 mod n) and also (2) = 1, ie., 25% 
of the time. 

(a) O(log*n log m); (b) O(log®n). 

(a) N is composite because n is composite (by the corollary to Propo- 
sition I.4.1); then proceed as in Exercise 9 to see that 2(N-1)/2 — 
22”"*-1 = 1 mod N. But since N = —1 mod 8, we also have (2) = 1. 
Thus, N is an Euler pseudoprime; by Proposition V.1.5, it is also a 
strong pseudoprime. (b) Use the same argument as in Exercise 7(c). 
If the first possibility in (3) holds, then obviously (b*)* = 1 mod n. Now 
suppose that b?"* = —1 mod n. Write k = 2*j with j odd. Ifi > r, then 
(bk) = 1 mod n; if i <r, then (b*)?” “t = (b?"*) = (-1)) = -1 modn. 
(a) Show that the necessary and sufficient conditions on b are: (3) =1, 
(33) = 1. These conditions both hold 25% of the time, i.e., for 80 bases 
in (Z/561Z)*. (b) Since b”° = 1 mod 3 and mod 11, it follows that 561 
is a strong pseudoprime to the base 6 if and only if "535 = +1 mod 561, 
i.e., if and only if either (i) b = 1 mod 3, b = 1 mod 17, (2) = 1, 
or else (ii) b = —1 mod 3, b = —1 mod 17, (4) = —1. There are 10 
such bases, 5 in case (i) and 5 in case (ii), by the Chinese Remainder 
Theorem. The 8 nontrivial bases b 4 +1 are: 50, 101, 103, 256, 305, 
458, 460, 511. 

Use Exercise 7(a) of §1.3, which says that the only square roots of 1 
are +1. 

(a) 8? = 18? = —1 mod 65; 14? = 1 mod 65, but 141 # +1 mod 65. (b) 
The case when n is a prime power follows from the previous exercise, so 


24. 
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suppose that n is not a prime power. First, if p|n with p = 3 mod 4, then 
no integer raised to an even power gives —1 mod n (since —1 is not a 
quadratic residue modulo p); hence, in this case the strong pseudoprime 
condition can be stated: b& = +1 mod n. This condition obviously has 
the multiplicative property. Next, suppose that n = p?! ---p%" where 
pj = 1 mod 4 for 1 < j < r. Let +a; be the two square roots of 
—1 modulo p;? (a square root modulo p; can be lifted to a square 
root modulo ae see Exercise 20 of § 11.2). Then any b which satisfies 
b = +a; mod p;’ (for any choice of the +) is a base to which n is 
a strong pseudoprime, since then b7* = (—1)' = —1 mod n. Choose 
b; by taking all of the +a; equal to a;, and choose bz by taking any 
of the 2” — 2 possible choices of sign other than all positive or all 
negative. Then show that for b = b,b2 one has b?* = 1 mod n and 
be =b#+1 mod n. 

(a) In that case you obtain a number c other than +1 whose square is 
1; then g.c.d.(c+1, 7) is a nontrivial factor of n. (b) Choose p and q so 
that p— 1 and g—1 do not have a large common divisor (see Exercise 
5 above). 


V.2. 


g.c.d.(a5 — £3,n) = g.c.d.(21 — 63,91) = 7; 91 = 7-13. 

g.c.d.(%g — £3, ) = g.c.d.(2839 — 26, 8051) = 97; 8051 = 83 - 97. 
g.c.d.(%9 — £7, n) = g.c.d.(869 — 3397, 7031) = 79; 7031 = 79 - 89. 
g.c.d.(xg — £3, n) = g.c.d.(630 — 112, 2701) = 37; 2701 = 37 - 73. 

(a) Prove by induction on k that for 1 < k < r there is a 1/r probability 
that zo,...,2;—-1 are distinct and 2; is equal to one of the earlier z;. 
For k = 1 there is a 1/r probability that f(zo) = zo. The induction 
step is as follows. By the induction assumption, the probability that 
ae e or the earlier k’s was the first for which x, = x; for some j < k is 
1- = 2) Assuming this to be the case, there are r — (k — 1) 
ete values for f(2,~1), since a bijection cannot take z,_1 to any 
of the k — 1 values f(z;),0 < j < k— 2. Of the r — (k — 1) possible 
values, one is 29, and all the others are distinct from x9, 71,...,2;-—1. 
Thus, there is a 1/(r — (k — 1)) chance that the value is one of the 
earlier x; (namely, if this is the case, note that j = 0). The probability 
that both things happen — none of the earlier k’s was the first for 
which x, = Zo but our present k has x, = xo — is the product of 
the individual probabilities, i.e., mie) . aay = +. (b) Since all of 
the values from 1 to r are equally probable, the average is = Ly par k = 
L(r(r + 1)/2) = (r +1)/2. 

Suppose that a has no common factor with n (otherwise, we would 
immediately find a factor of n by computing g.c.d.(a,n) and we would 
have no need of the rho method at all). Then f(x) = a+b is a bijection 
of Z/rZ to itself (for any r|n), and so the expected number of steps 
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before we get a repetition modulo r is of the order of r/2 (by Exercise 
5(b)) rather than ,/r, i-e., it is much worse. 

(a) 2* = 2° mod r—1; (b) £= s and k = s+™m, where m is the order of 
2 modulo ¢, i.e., the smallest positive integer such that 2” = 1 mod t. 
m is also the period of the repeating binary expansion of 1/t, as we see 
by writing 2” — 1 = ut and then 1/t = u\2, 2-™. (c) k can easily 
have order almost as large as r, e.g., if r — 1 is twice a prime and 2 
happens to be a generator modulo that prime (in which case s = 1, 
m = (r —3)/2). 


§V.3. 


1. 


(a) (using t = [/n] + 1 = 93) 89-97; (b) (using t = [/n] + 4 = 903) 
823 - 983; (c) (using t = [Yn] +6 = 9613) 9277 - 9949; (d) (using 
t = [Vn] + 1 = 9390) 9343 - 9437; (e) (using t = [./n] + 8 = 75) 
43 - 107. 

In the factorization n = ab with a > b, ifa < /n+ Yn, then b = 
n/a > n/(f/n+ Yn) > /n—- Yn. On the other hand, if we start 
with b > \/n — Yn, then we must have a < /n+ “/n + 2, because 
otherwise we would have n = ab > (/n+ Yn + 2)(/n — Yn) = 
n+./n—2/n > n (as soon as n > 15; we check Exercise 2 separately 
for the first few n). Thus, in either case a — b < 2(4/n + 1). But if 
Fermat factorization fails to work for the first value of t, then the s 
and t corresponding to the factorization n = ab satisfy: t > /n+ 1, 
and so s = V#?—n> V/(/n+1)?-—n= V/2/n4+1 > V2n, which 
contradicts the relationship s = (a—b)/2 < #/n+1 as soon as n > 33. 
(a) We would have t? — s* = kn = 2 mod 4; but modulo 4 the difference 
of two squares cannot be 2. (b) We would have ¢? — s? = 4n = 4 mod 8, 
which can hold only if both s and ¢ are even; but then (t/2)? —n = 
(s/2)?, and so simple Fermat factorization would have worked equally 
well. 

(a) (using t = [V3n] +1 = 455) 149 - 463; (b) (using t = [V3n] +2 = 
9472) 3217 - 9293; (c) (using t = [V5n] + 1 = 9894) 1973 - 9923; (d) 
(using t = [V5n] + 2 = 9226) 1877 - 9067. 

B = {2,3}; the vectors are {0,1} and {0,1}; b = 52-53 mod n = 55, 
c = 2-3? = 18; g.c.d.(55 + 18,2701) = 73; 2701 = 37-73. 

B = {-1,2,3,61}; the vectors are {1,0,0,0}, {1,0,0,1}, and 
{0,0,0,1}; 6 = 68- 152-153 mod n = 1555, c = 2-3-61 = 366; 
g.c.d.(1555 + 366, 4633) = 113; 4633 = 41 - 113. 

(a) Estimate the difference by taking the sum of the “triangular re- 
gions” between the graph of logz and the Riemann sum rectangles. 
(b) Compare f" logzdz with the sum of the areas of the trapezoids 
whose tops join the points (j,log7), and show that the total area 
between the curve and the trapezoids is bounded by a constant. (c) 
limy—s00( Flog y! — (logy — 1)) =0, so logy — 1 is the answer. 

(a) (1—27-")(1 — 2-"+1)...(1 — 2-"+*-1), (b) 0.298. 
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9. The term from the rho method becomes 3.2 x 10!” times as great, while 
the term from the factor base method becomes 2.6 x 10® times as great. 

10. (a) For s < sq, we have h(s) > f(s ) > (80) = $A(s0), and for s > 0, 
we have h(s) > g(s) > g(s0) = 34(so)- (b) Apply part (a) to log(f(s)) 
and log(9(s)). 

§ V.4. 

ll @tea0) FERGIE mH Lt rp oe oF 

2. (a) Since a++ =z, it follows that z is the positive root of x? —ar—1 = 
0, ie., c = (a + Va? + 4)/2. (b) Since the a;’s are 1, the recurrence 
relation for the numerators and denominators of the convergents are 
the same as for the Fibonacci numbers. 

Be. Det ix a ti iz tr tr tr 6 .++: it is possible to show that the a,’s for 
i = 2 mod 3 are the successive even integers, and all other a;’s are 1. 

4. For each b; you have b? — c?n is the least absolute residue of b? modulo 
n. If p divides this least absolute residue, then b? = c?n tied p, and 
this means that n is a quadratic residue modulo p. 

5. The tables below go through the first value of 7 such that the least 
absolute residues of b2,...,b? give a factorization of n. In four cases 
(parts (g), (i), (j), (k)) there is an earlier value of i such that some 
subset of these residues have corresponding vectors ~€’; which sum to 
zero; however, in those cases we end up with b = +c mod n. 

i 0 1 2 3 
(a) a; 97 1 1 17 
b; 97 98 195 3413 
b? modn -100 95 -11 44 
B = {-1,2,5, 11}, b = 97-195-3413, c = 2?-5-11, g.c.d.(b+c, n) = 257. 
a 0 1 2 3 
(b) a; 116 2 4 1 
bj 116 «6.233 «1048 )=—-:1281 
b? modn -105 45 —-137 80 
B = {2,3,5}, b = 233-1281, c= 2?-3-5, g.c.d.(b+c,n) = 191. 
i 0 1 2 
a; 93 1 2 
i) 93 94 281 


b? modn —128 59 —32 
B = {-1,2}, b= 93-281, c= 2%, g.c.d.(b+c¢,n) = 


224 


(d) 


(e) 


(f) 


(h) 


(i) 
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i 0 1 2 
a; 10 8 3 
b; 120 961 3003 
b? modn —29 65 —116 
B = {-1,2, 29}, b = 120 - 3003, c = 2-29, g.c.d.(b+¢,n) = 307. 


i 0 1 2 3 4 5 6 
a ie ae ae on SS OR | 
b; 111 223 334 891 2116 3300 5416 

b? modn -82 117 -71 89 -27 166 —-39 

B = {-1,3, 13}, b = 223-2116 -5416, c = 33-13, g.c.d.(b+c,n) = 157. 


a 0 1 2 3 4 5 
a; 120 1 1 8 2 2 
b 120 121 241 2049 4339 10727 


b? modn -127 114 -27 98 —-T71 162 
B = {-1,2,3, 7}, b = 2049 - 10727, c = 2-3?-7, g.c.d.(b+c,n) = 199. 


1 0 1 2 3 4 5 
a; 100— 1 1 1 1 2 
b 100 101 201 302 503 1308 


b? modn -123 78 -91 97 -66 77 
B= {-1,2,3,7, 11,13}, b = 101 - 201 - 503 - 1308, c=2-3-7-11- 13, 
g.c.d.(b + c,n) = 191. 


a 0 1 2 3 4 5 6 
a; 111 1 1 2 1 4 1 
b; 111112) 223) 558) =—781 = 3682 «4463 
b? modn -128 95 -67 139 -40 163 —31 
7 8 9 
6 2 1 
5562 3138 8700 
79 -115 80 


B = {-1,2,5}, b= 111-781 - 8700, c = 2” - 5, g.c.d.(b+c,n) = 59. 


i 0 1 2 3 4 5 6 7 8 
a; 96 1 2 2 5 1 1 1 1 
b 96 97 290 677 3675 4352 8027 3026 1700 


b? modn -137 56 —77 32 -107 79 -88 89 -77 
B = {-1,2,7,11}, 6 = 290-1700, c=7- 11, g.c.d.(b+¢,n) = 47. 
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i 0 1 2 3 4 5 6 
: a; 1591 2 1 1 2 4 
(i) b 159 160 479 639 1118 2875 12618 
b? modn -—230 89 -158 145 -115 61 -227 
7 8 9 
1 5 1 


15493 13550 3532 
50 —-167 145 
B = {-1,2,5, 23,29}; b = 639-3532; c=5-29; g.c.d.(b+c,n) = 97. 


i 0 1 2 3 4 5 
(k) a; 1331 2 4 2 3 
b; 133. 184 4401 1738 3877 13369 
b? modn -184 83 -56 107 -64 161 
6 7 8 
1 2 1 


17246 12115 11488 
-77 149 ~88 
B = {-1,2,7, 11,23}; b = 401 - 3877 - 17246 - 11488; c= 2°-7-11; 
g.c.d.(b+c,n) = 61. 


§ V.5. 
2. Part 6) is the most time-consuming. Time is bounded by 


primes p<P 


0( by ‘aptns] = O(Alogn log P log log P). 


(The question asked only about steps 1-7; the other time-consuming 
stage for very large n is finding linearly dependent rows modulo 2 in 
the matrix of exponents corresponding to the B-numbers among the 


t? —n.) 
3. (a) 
t Pn 2 13 17 19 29 37 41 47 
1030 14297 Spe Ds Re ce 
1319 693158 1 111 212- - 
1370 830297 a as 
1493 1182446 1 - 12%1-+ - 


Rows 1 and 3 are dependent and lead to the factorization 1879 - 557. 
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(b) 
t t—n 2 


i) 
On 


13 17 19 23 31 37 41 


1030 = 1209 
1043-28158 
1046 =. 34425 
1047 = 36518 
1079 104550 
1096 §=141525 
1123 201438 
1141 242190 
1154 = 272025 
1161 288230 
1199 377910 
1233 460598 
1251 505310 
1271 555750 
1284 588965 
1309 653790 
1325 695934 
1366 806265 
1371 819950 - 
1420 956709 eee Oe 
1504 1202325 Lice Ps So 


Rows 1, 2 and 7 are dependent mod 2, but do not lead to a nontrivial factor. 
Rows 1 and 9 are dependent and lead to the factorization 1787 - 593. 


(c) 
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a) 
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t tn 2 


on 
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11 17 19 37 43 47 


1 - + 


1001 3230 1 
1003-7238 1 
1004 = 9245 - 
1018 = 37553 = 
1039 80750 1 
1056 116365 - 
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em | 
| 
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1069 143990 
1086 180625 
1090 189329 - 
1146 314545 = 
1164 356125 
1191 419710 
1241 541310 
1311 719950 
1426 1034705 
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Rows 1 and 5 are dependent and lead to the factorization 661 - 1511. 


§ VI.1. 

1. Either the circle group (if the real curve has one connected component) 
or the product of the circle group and the two-element group (if it has 
two connected components). An example of the first is y? = x3 +2; an 
example of the second is y* = x? — x (for an equation of the form (1), 
this depends on whether the cubic on the right has 1 or 3 real roots). 

2. n? complex points of order n; n real points of order n if n is odd, and 
either n or 2n if n is even, depending on whether the real curve has 
one or two components. 

3. Same examples as in Exercise 1. 

4. (a) On the z-axis; (b) inflection point; (c) a point where a line from 
an z-intercept of the curve is tangent to the curve (in addition to the 
points in (a)). 

(a) 3; (b) 4; (c) 7; (d) 5. 
Characteristic 2: 23 = 4th +a, +2, y3 =ctyt+# siti M72 (7) +23), and 
when P = Q we have z3 = ae yg =ce+yit t44(p) Le) and for 


equation (2b): 3 = uty + Bt 427,422 +4, y3 = (pte (1 + 


zyit+z3 @1+22 Gites 
£3) +23 + y1, and hen P = Q we have x3 = ai + yg = 2 + 


2 
(a1 + 2 )rs + 23; characteristic 3: 23 = (n=2) —a—21— 22, ¥3 = 


2 

—yit BS (ai —23), and when P = Q we have 3 = (su=2) —a+z), 
ys = yi + az1—P (a, — 3). 

7. (a) Show that in each pair {a,—a} exactly one of the values z = +a 
leads to 2 solutions (x, y) to the equation (treat x = 0 and the point at 
infinity separately). (b)-(c) Use the fact that 2 +> 2° is a 1-to-1 map 
of F, to itself when q = 2 mod 3. 


8. The following table shows the type of the abelian group for each value 
of q and each of the two elliptic curves: 
qd 3 5 7 9 11 13 17 
y>=a?—a2 (2,2) (4,2) (4, 2) (4,4) (2,2,3) (4,2) (4,4) 
y? =x°-1 —_o (2, 3) (2,2) Tee (4, 3) (2, 2,3) (2, 9) 


19 23 27 

(2 2, 5) (4, 2, 3) ) (2, 2,7) 

2°2°7) °(8,3) (2,2,3,3) 

9. (a) Let P = (z,y). Then —P = (z,y +1), 2P = (z*,y* +1). (b) We 
have 2(2P) = (z'6, y'6 +141) = (x16, y!6) = (2, y) = P. (c) By part 
(b), 2P = —P, ie., (x4, y4+1) = (z,y+1); but this means that 2* = ¢ 
and y* = y, so that x and y are in the field of 4 elements. By Hasse’s 
theorem, the number N of points is within 2\/4 = 4 of 441 and within 
2/16 = 8 of 16+1, ie, N =9. 
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The denominator of the zeta function is always (1 — T)(1 — pT); the 
following table shows the numerator for p = 5,7, 11, 13: 

y2=2?—-2 1427457? 1477? 14+11T? 1-67 +137? 

yy=23-1 1+5T7? 1-47+4+7T? 14117? 1-274 137? 
In both cases there is no solution (x,y) to the equation over F,, so the 
only point is the point at infinity. The numerator of the zeta function is 
1—2T +2T? and 1—3T +37", respectively. Then N, = N((1+i)" —1) 
and N((1+w)" — 1), respectively, where w = (—1+ iV/3)/2. 


§ V1.2. 


1. 


2. 


Pick elements of F, at random, and stop when you find g such that 
g(t-))/2 = —1 (rather than +1). 

Let x € F, correspond to m. (a) Let f(x) = 23-2. Note that precisely 
one of f(x), f(—a) = —f(zx) is asquare. Let y = f(r)+)/4 Then show 
that either (x,y) or (—z, y) is a point on the curve. (b) Choose any y, 
set z = (y? + y)?-9/3 (unless y = 0 or —1, in which case set x = 0), 
and show that (x,y) is on the curve. 

(a) The sequence of points (z, y) is: 


(562,576), (581,395), (484,214), (501,220), (1,0), (1,0), (144, 565). 


(b) ICANT (I can’t). 

(a) E mod p has a noncyclic subgroup, namely, the group of points of 
order 2; (b) E mod p has a subgroup of order 2 or 4, namely, the points 
of order 2. 

Use the formulas in Example 5 of §1. (a) Use congruence modulo 3 to 
show that in both cases (r odd and r even) one has 3|N,. (b) When 4|r 
we have: N, = (27/2 — 1)? = (2°/4 + 1)?(2"/4 — 1)?, which is divisible 
by an (r/4)-bit prime if and only if r/4 is a prime for which 27/4 — 1 is 
a Mersenne prime; it is divisible by an (r/4 + 1)-bit prime if and only 
if r/4 = 2* with 22" +1 a Fermat prime. 

(a) The F,-points then form a proper subgroup of the F,--points (by 
Hasse’s theorem), and that subgroup has more than 1 element (also by 
Hasse’s theorem). Thus, N,. has a proper divisor. (b) In both cases let 
E have equation y” + y = 23 — x +1; one easily checks that over F2 or 
Fs the curve has no points except for the point at infinity O. Thus, the 
argument in part (a) does not apply, and one finds that when p = 2 
we have No = 5, N3 = 13, Ns = 41, Nz = 113, Ny, = 2113 (note 
that the zeta-function is (1 — 2T + 2T?)/(1—T)(1—2T); for r prime 
N, is prime if and only if the so-called “complex Mersenne number” 
(1 +)" —1 is a prime in the Gaussian integers, or equivalently, if 
and only if 2" + 1 — (2)2("+1)/2 is a prime, where (2) is the Legendre 
symbol); when p = 3 we have No = 7, Ns = 271, Nz = 2269 (here the 
zeta-function is (1 — 3T + 3T?)/(1 — T)(1 — 3T)). 

(a) y2+y = 2° +a, where a is either of the elements of F4 not in Fe. 
(b) The zeta-function is (1 — 4T + 4T?)/(1 — T)(1—4T), and the two 


10. 


11. 
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reciprocal roots of the numerator are both 2; then use the remark at the 
end of §1. (c) The double of (zx, y) is (x*,y*) (note that the 4th-power 
map is the “Frobenius” map, i.e., the generator of the Galois group of 
F,- over F,). (d) Doubling any point r times gives (x*", y*”) = (2, y), 
ie., any P € E satisfies 2”P = P. 

(a) Use the fact that something is in F 2 if and only if it satisfies x? = z; 
and also the fact that (a + b)? = a? + b? in a field of characteristic 2. 
(b) The map z+ z+ 1 gives a 1-to-1 correspondence between the z’s 
with trace 0 and the z’s with trace 1. (c) Choose random z € For, 
substitute the cubic 2? + az + b for z in g(z), and if z= 2? +azr+b 
lands in the 50% of elements with trace 0, then the point (x, g(z)) is 
on the curve. 

When working with E modulo p, one uses the same formulas (4)—(5) 
of §1, and one gets the point at infinity when one adds two smaller 
multiples kP = ki P + keP which, when reduced modulo p, have the 
same x-coordinate and the negative of each other’s y-coordinate. That 
is equivalent to conditions (1)—(2) in the exercise. 

The denominator of 8P is divisible by p = 23, and so P mod 23 has 
order 8 on E mod 23, by Exercise 9. However, Hasse’s theorem shows 
that E mod 23 has more than 8 points. 

(676,182), (385,703); (595,454), (212,625); (261,87), (77,369); 
(126,100), (66,589); (551,606), (501,530); (97,91), (733,110); 
(63, 313), (380, 530). 


§VL3. 


1. 
3. 


(a) 1—1/q; (b) 1—1/g. 

(a) Ifn = 2?" +1 is prime, then any a with (2) = —1 has this property. 
See Exercise 15 of §1I.2 concerning a = 3,5,7. On the other hand, if 
p is a proper prime divisor of n, and if a? = —1, then 2?" but 
not 27°" is a multiple of the order of a modulo p, i.e., this order 
is 2" =n-1> p — 1, which is impossible. (b) First suppose that 
n = 2? —1 is prime. To show that E’ mod n has 2? points, see Exercise 
7(a) of § VI.1. To show that the group is cyclic, prove that there are 
only two points of order 2, because the cubic x? + x has only one 
root modulo n. Then any of the 50% of the points which generate 
E mod n (i.e., which are not the double of any point in E mod n) have 
the properties (1)—(2). Conversely, suppose that n has a proper prime 
divisor @. If P satisfied properties (1)—(2), then on E mod £¢ the order of 
P would divide 2? but not 2?-1, i.e., it would be 2?. But then 2? = n+1 
would divide the number of points on E mod £, and this contradicts 
Hasse’s theorem, which tells us that this number is < £+2V+1. To 
generate random points on E mod n, choose z € Z/nZ randomly. If 
b = x3 + 2 happens to be a square modulo n, then setting y = b("+1)/4 
will give y? = b- b-/2 = 73 4+ x, (See Remark 1 at the end of 
§ 11.2.) 
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§ V1.4. 


1. 
2. 


g.c.d.(2* —1,n) =n, but g.c.d.(3* — 1,n) = 127; n = 127-421. 

The probability that a random residue a in (Z/pZ)* satisfies pla* — 1 
is one out of (p — 1)/g.c.d.(k, p — 1). Since there is little chance that 
a* —1 will be divisible by any other divisor of n, this is also an estimate 
of the probability that g.c.d.(a* — 1,n) = p. 

(a) 3 out of 41; (b) 22 out of 41; (c) 25 out of 127; (d) 68 out of 127; 
(e) 105 out of 399. 

Choose k = 2° . 34. 5% Here are the first value of a for which the 
method gives a factor, the factor it gives, and the value of k, for which 
the algorithm terminates: (a) 1, 37, 23; (b) 2, 71, 26 - 34 - 5; (c) 1, 67, 
26 . 34. 5; (d) 1, 47, 28-3; (e) 2, 79, 26 - 34. 57; (f) 1, 73, 26 - 3; (g) 
5, 53, 2?; (h) 4, 59, 26 . 32; (i) 1, 47, 26 - 3; (j) 3, 97, 26-3; (k) 1, 61, 
28 . 34.52 

If the latter possibility occurred, it would mean that ¢’(k,/)P mod p = 
O mod p for some ¢’ < @, while (ki /£)P mod p # O mod p. But ¢’ is a 
product of primes é* < £, and our choice of exponents in (2) ensured 
that for each such @* the highest power of £* that could divide the 
order of P mod p in E mod p already occurred in (€*)%*, i-e., in 
k,/é. 

(a) If n happens to be divisible only by primes which are = 3 mod 4, 
then there are always p+ 1 points on E mod p for p|n (see Exercise 
7(a) of §1 for the case a = —1; but the same argument applies for any 
a). In that case it won’t help to vary a if p+ 1 is divisible by a large 
prime for each p|n. (b) If n happens to be divisible only by primes 
p = 2 mod 3, then there are always p+ 1 points (see Exercise 7(b) of 
§1), and so again it won’t help to vary b if p+ 1 is divisible by a large 
prime for each p|n. 

Generate pairs (E, P) where E has equation y? = x(x —a)(z—b); then 
E has four points of order 2, including the point at infinity (see Exercise 
4(a) of §VI.1). To do this, choose random a, z, yo; set y = x(x — a)yo 
and then b = x — yyo. 
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bit, 3 
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congruence, 19, 193 

conjugate, 32 

continued fraction, 155 
factorization method, 158-159 

convergent, 155 

cryptanalysis, 56 

cryptography, 54 
public key, 85 

cryptosystem, 54-55, 83 
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composition, 64, 79 
Diffie-Hellman, 98-99, 181-182 
ElGamal, 100-101, 109, 182 
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216 
Merkle-Hellman, 113-114 
private key, 88 
product, 64, 78-79 
public key, 85 
RSA, 22, 92-93, 106, 125, 137, 
153 

structure, 56 
symmetric, 88 

cyclic group, 34 

Cyrillic, 63, 78 


Data Encryption Standard, 101 
deciphering, 54 
key, 83 
transformation, 54 
decryption, 54 
determinant, 67 
deterministic algorithm, 127 
encryption, 89 
Diffie-Hellman assumption, 99, 121 
key exchange, 98-99, 181-182 
Digital Signature Standard, 101-102 
digits, 1 
binary (bit), 3 
number of, 3 
digraph, 54, 59 
transformation, 59 
Dirichlet L-series, 134 
discrete log, 97-98 
algorithms for, 102-106 
on elliptic curve, 180 


divisibility, 12 
exact, 12 
division points, 173 

divisor, 12 
nontrivial, 12 
proper, 12 


ElGamal cryptosystem, 100-101, 109, 
182 
signature, 109-110 
elliptic curve, 167-168 
addition law, 168-170 
complex points, 171 
cryptosystem, 181-182 
factorization, 191-192, 195-198 
global, 183 
nonsupersingular, 181 
over finite field, 174 
primality test, 188-190 
rank, 173 
real points, 176-177, 227 
reduction, 184, 193-194 
supersingular, 181 
torsion subgroup, 173, 185 
Weil pairing, 180-181 
zero element, 169 
zeta-function, 175 
elliptic function, 173 
enciphering, 54 
key, 56, 83 
matrix, 71-72 
transformation, 54 
encoding, 179 
encryption, 54 
Euclidean algorithm, 13 
for Gaussian integers, 18 
for polynomials, 17 
Euler phi-function, 15, 21-22 
pseudoprime, 129 
exponentiation, 23, 97 


factor base, 145 
algorithm, 103, 148 
factoring, 27-29, 92 
continued fraction method, 158- 
159 
with elliptic curves, 191-192, 195- 
198 


Fermat factorization, 15, 96, 143- 
144 
Monte-Carlo method, 138-140 
Pollard p — 1 method, 192-193 
quadratic sieve, 160-162 
rho method, 138-142 
trial division, 126, 138 
Fermat factorization, 15, 96, 143-144 
prime, 29, 51, 109, 190 
Fermat’s Little Theorem, 20, 126 
Fibonacci numbers, 16-17, 77-78, 159, 
211-212, 223 
fields, 31 
automorphism of, 32, 36 
characteristic of, 33 
finite, 20, 33 
Galois extension, 32 
isomorphism, 32 
of p elements, 20, 33 
prime, 33 
splitting, 33 
finite fields, 20, 33 
automorphism of, 36 
existence and uniqueness, 35- 
36 
generator, 34 
irreducible polynomials over, 38- 
39, 104, 110 
roots of unity in, 42 
square roots in, 42, 48, 52, 96, 
179-180 
subfields, 38 
fixed digraph, 81 
message unit, 62, 64 
frequency analysis, 56 
Frobenius, 183, 229 
function, one-way, 85 
trapdoor, 85 
Fundamental Theorem of Arithmetic, 
12, 26 


Galois field extension, 32 
Gauss sum, 44, 45, 134 
Gaussian integers, 17, 37, 42-43, 171 
generator of finite field, 34 
Germain, Sophie, 207 

prime, 207 
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“giant step — baby step” method, 
103 
global elliptic curve, 183 
graph, 118 
greatest common divisor, 12 
of Gaussian integers, 17 
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